Security update: Synapse 0.32.0

Folks, Synapse 0.32.0 is an important security update: please upgrade as soon as you can.

The release focuses on security; fixing several federation bugs and adding new features for countering abuse. Notably it includes the ability to blacklist & whitelist servers allowed to send events to a room on a per-room basis via the new m.room.server_acl state event: see MSC1383 for details.  This also closes out https://github.com/matrix-org/matrix-doc/issues/709 – one of our oldest feature requests from users who wish to be able to limit the servers allowed to participate in a given room.

It’s important to understand that server ACLs only work if all the servers participating in the room honour them.  In future this will be handled better (as part of ongoing work in making it easier to incrementally version and upgrade the federation protocol).  This means that for the ACLs to work, any servers which don’t yet implement ACLs (e.g. older Synapses) have to be ACL’d from the room for the access control to work.  Therefore please upgrade as soon as possible to avoid this problem.

This ongoing flurry of security work is in general all part of moving towards the long-awaited stable release of the Server-Server API. In parallel we’ve been working on the other main outstanding point: State Resets (i.e. scenarios where you get unexpected results when resolving conflicts between different servers’ copies of a room).  There will be a few more major changes and upgrades on the horizon as we fix these, but then we’ll finally be able to cut an r0 release of the Server-Server API and Matrix will be one massive step closer to being out of beta!

As always, you can get the new update from https://github.com/matrix-org/synapse/releases/tag/v0.32.1 or any of the sources mentioned at https://github.com/matrix-org/synapse.

Changes in synapse v0.32.0 (2018-07-06)

No changes since 0.32.0rc1

Synapse 0.32.0rc1 (2018-07-05)

 

Features

  • Add blacklist & whitelist of servers allowed to send events to a
    room via m.room.server_acl event. (merge)
  • Cache factor override system for specific caches (#3334)
  • Add metrics to track appservice transactions (#3344)
  • Try to log more helpful info when a sig verification fails
    (#3372)
  • Synapse now uses the best performing JSON encoder/decoder according
    to your runtime (simplejson on CPython, stdlib json on PyPy).
    (#3462)
  • Add optional ip_range_whitelist param to AS registration files to
    lock AS IP access (#3465)
  • Reject invalid server names in federation requests (#3480)
  • Reject invalid server names in homeserver.yaml (#3483)

Bugfixes

  • Strip access_token from outgoing requests (#3327)
  • Redact AS tokens in logs (#3349)
  • Fix federation backfill from SQLite servers (#3355)
  • Fix event-purge-by-ts admin API (#3363)
  • Fix event filtering in get_missing_events handler (#3371)
  • Synapse is now stricter regarding accepting events which it cannot
    retrieve the prev_events for. (#3456)
  • Fix bug where synapse would explode when receiving unicode in HTTP
    User-Agent header (#3470)
  • Invalidate cache on correct thread to avoid race (#3473)

Improved Documentation

Deprecations and Removals

  • Remove was_forgotten_at (#3324)

Misc

Security update: Synapse 0.31.2

Hi all,

On Monday (2018-06-11) we had an incident where #matrix:matrix.org was hijacked by a malicious user pretending to join the room immediately after its creation in 2014 and then setting an m.room.power_levels event ‘before’ the correct initial power_level for the room.

Under normal circumstances this should be impossible because the initial m.room.power_levels for a room should be set before its m.room.join_rules event, meaning users who join the room are subject to its power levels. However, back before we’d even released Synapse, the first two rooms ever created in Matrix (#test:matrix.org and #matrix:matrix.org) were manually created and set the join_rules before the power_levels event, letting users join before the room’s power_levels were defined, and so were vulnerable to this attack. We’ve since re-created #matrix:matrix.org – please re-/join the room if you haven’t already!

As a defensive measure, we are releasing a security update of Synapse (0.31.2) today which changes the rules used to authenticate power_level events, such that we fail-safe rather than fail-deadly if the existing auth mechanisms fail. In practice this means changing the default power level required to set state to be 50 rather than 0 if there is no power_levels event present, thus meaning that only the room creator can set the initial power_levels event.

We are not aware of anyone abusing this (other than the old #matrix:matrix.org room) but we’d rather be safe than sorry, so would recommend that everyone upgrade as soon as possible.

This of course constitutes a change to the spec, so full technical details and ongoing discussion around the Matrix Spec Change proposal can be followed over at MSC1304.

EDIT: if you are aware of your server participating in rooms whose first power_levels event is deliberately set by a different user to their creator, please let us know asap (and don’t upgrade!)

This work is all part of a general push to finalise and harden and fully specify the Server-Server API as we push towards a long-awaited stable release of Matrix!

As always, you can get the new update from https://github.com/matrix-org/synapse/releases/tag/v0.31.2 or from any of the sources mentioned at https://github.com/matrix-org/synapse.

thanks, and apologies for the inconvenience.

Changes in synapse v0.31.2 (2018-06-14)

SECURITY UPDATE: Prevent unauthorised users from setting state events in a room when there is no m.room.power_levels event in force in the room. (PR #3397)

Discussion around the Matrix Spec change proposal for this change can be followed at https://github.com/matrix-org/matrix-doc/issues/1304.

Synapse 0.31.1 Released!

Folks,

v0.31.1 fixes a security bug in the “get_missing_events“ federation API where event visibility rules were not applied correctly.

We are not aware of it being actively exploited but please upgrade asap.

Sorry for the inconvenience, Synapse and the Matrix spec are still in beta and we still ironing out gaps such as this one.

You can get the release here.

Changes in synapse v0.31.1 (2018-06-08)

v0.31.1 fixes a security bug in the get_missing_events federation API
where event visibility rules were not applied correctly.

We are not aware of it being actively exploited but please upgrade asap.

Bug Fixes:

  • Fix event filtering in get_missing_events handler (PR #3371)

Synapse v0.31.0 released!

Good people, it’s release time.

With the core team focusing on upcoming performance work and GDPR management tooling, v0.31.0 is most notable for improvements to system stats. Additionally, work continues on our py3 port and a host of small bug fixes and perf improvements.

Get it now from https://github.com/matrix-org/synapse/releases/tag/v0.31.0

Changes in synapse v0.31.0 (2018-06-06)

Most notable change from v0.30.0 is to switch to python prometheus library to improve system stats reporting. WARNING this changes a number of prometheus metrics in a backwards-incompatible manner. For more details, seedocs/metrics-howto.rst

Bug Fixes:

  • Fix metric documentation tables (PR #3341)
  • Fix LaterGuage error handling (694968f)
  • Fix replication metrics (b7e7fd2)

Changes in synapse v0.31.0-rc1 (2018-06-04)

Features:

  • Switch to the Python Prometheus library (PR #3256#3274)
  • Let users leave the server notice room after joining (PR #3287)

Changes:

  • daily user type phone home stats (PR #3264)
  • Use iter* methods for _filter_events_for_server (PR #3267)
  • Docs on consent bits (PR #3268)
  • Remove users from user directory on deactivate (PR #3277)
  • Avoid sending consent notice to guest users (PR #3288)
  • disable CPUMetrics if no /proc/self/stat (PR #3299)
  • Add local and loopback IPv6 addresses to url_preview_ip_range_blacklist (PR #3312) Thanks to @thegcat!
  • Consistently use six’s iteritems and wrap lazy keys/values in list() if they’re not meant to be lazy (PR #3307)
  • Add private IPv6 addresses to example config for url preview blacklist (PR #3317) Thanks to @thegcat!
  • Reduce stuck read-receipts: ignore depth when updating (PR #3318)
  • Put python’s logs into Trial when running unit tests (PR #3319)

Changes, python 3 migration:

Bugs:

  • Fix federation backfill bugs (PR #3261)
  • federation: fix LaterGauge usage (PR #3328) Thanks to @intelfx!

Synapse v0.30.0 released today!

It’s release o’clock – GDPR time!!!!

v0.30.0 sees the introduction of Server Notices, which provides a channel whereby server administrators can send messages to users on the server, as well as Consent Management for tracking whether users have agreed to the terms and conditions set by the administrator of a server – and blocking access to the server until they have.

In conjunction these features support GDPR compliance in the form of providing a client agnostic means to contact users and ask for consent/agreement to a Privacy Notice.

For more information about our approach to GDPR compliance take a look here (although be aware that our position has evolved a bit; see the upcoming new privacy policy for the Matrix.org homeserver for details).

Additionally there are a host of bug fixes and refactors as well as an enhancement to our Dockerfile.

Get it now from https://github.com/matrix-org/synapse/releases/tag/v0.30.0

Changes in synapse v0.30.0 (2018-05-24)

‘Server Notices’ are a new feature introduced in Synapse 0.30. They provide a
channel whereby server administrators can send messages to users on the server.

They are used as part of communication of the server policies (see Consent Tracking),
however the intention is that they may also find a use for features such
as “Message of the day”.

This feature is specific to Synapse, but uses standard Matrix communication mechanisms,
so should work with any Matrix client. For more details see here

Further Server Notices/Consent Tracking Support:

  • Allow overriding the server_notices user’s avatar (PR #3273)
  • Use the localpart in the consent uri (PR #3272)
  • Support for putting %(consent_uri)s in messages (PR #3271)
  • Block attempts to send server notices to remote users (PR #3270)
  • Docs on consent bits (PR #3268)

Changes in synapse v0.30.0-rc1 (2018-05-23)

GDPR Support:

  • ConsentResource to gather policy consent from users (PR #3213)
  • Move RoomCreationHandler out of synapse.handlers.Handlers (PR #3225)
  • Infrastructure for a server notices room (PR #3232)
  • Send users a server notice about consent (PR #3236)
  • Reject attempts to send event before privacy consent is given (PR #3257)
  • Add a ‘has_consented’ template var to consent forms (PR #3262)
  • Fix dependency on jinja2 (PR #3263)

Features:

  • Cohort analytics (PR #3163#3241#3251)
  • Add lxml to docker image for web previews (PR #3239) Thanks to @ptman!
  • Add in flight request metrics (PR #3252)

Changes:

  • Remove unused update_external_syncs (PR #3233)
  • Use stream rather depth ordering for push actions (PR #3212)
  • Make purge_history operate on tokens (PR #3221)
  • Don’t support limitless pagination (PR #3265)

Bug Fixes:

  • Fix logcontext resource usage tracking (PR #3258)
  • Fix error in handling receipts (PR #3235)
  • Stop the transaction cache caching failures (PR #3255)

Synapse 0.29.1 Released!

It’s release time people, not to be outdone by our friends on the Riot web team, Synapse v0.29.1 lands today.

v0.29.1 contains an officially supported docker image (many thanks to the contribution from @kaiyou), continued progress towards Python 3 (thanks to @NotAFile) – as well as a heap of refactorings and bug fixes.

Something worth noting is a potentially breaking change in the error code that /login returns in the Client Server API. Details follow, but the change closes a gap between Synapse behaviour and the spec.

We’d like to give huge thanks to Silvio Fricke and Andreas Peters for writing and maintaining Synapse’s first Dockerfile, as well as allmende, jcgruenhage, ptman, and ilianaw for theirs!  The new Dockerfile from kaiyou has ended up being merged into the main synapse tree and we’re going to try to maintain it going forwards, but folks should use whichever one they prefer.

You can pick it up from https://github.com/matrix-org/synapse/releases/tag/v0.29.1 and thanks to everyone who tested the release candidate.

Changes in synapse v0.29.1 (2018-05-17)

Changes:

  • Update docker documentation (PR #3222)

Changes in synapse v0.29.0 (2018-05-16)

No changes since v0.29.0-rc1

Changes in synapse v0.29.0-rc1 (2018-05-14)

Potentially breaking change:

  • Make Client-Server API return 401 for invalid token (PR #3161).This changes the Client-server spec to return a 401 error code instead of 403 when the access token is unrecognised. This is the behaviour required by the specification, but some clients may be relying on the old, incorrect behaviour.Thanks to @NotAFile for fixing this.

Features:

  • Add a Dockerfile for synapse (PR #2846) Thanks to @kaiyou!

Changes – General:

  • nuke-room-from-db.sh: added postgresql option and help (PR #2337) Thanks to @rubo77!
  • Part user from rooms on account deactivate (PR #3201)
  • Make ‘unexpected logging context’ into warnings (PR #3007)
  • Set Server header in SynapseRequest (PR #3208)
  • remove duplicates from groups tables (PR #3129)
  • Improve exception handling for background processes (PR #3138)
  • Add missing consumeErrors to improve exception handling (PR #3139)
  • reraise exceptions more carefully (PR #3142)
  • Remove redundant call to preserve_fn (PR #3143)
  • Trap exceptions thrown within run_in_background (PR #3144)

Changes – Refactors:

  • Refactor /context to reuse pagination storage functions (PR #3193)
  • Refactor recent events func to use pagination func (PR #3195)
  • Refactor pagination DB API to return concrete type (PR #3196)
  • Refactor get_recent_events_for_room return type (PR #3198)
  • Refactor sync APIs to reuse pagination API (PR #3199)
  • Remove unused code path from member change DB func (PR #3200)
  • Refactor request handling wrappers (PR #3203)
  • transaction_id, destination defined twice (PR #3209) Thanks to @damir-manapov!
  • Refactor event storage to prepare for changes in state calculations (PR #3141)
  • Set Server header in SynapseRequest (PR #3208)
  • Use deferred.addTimeout instead of time_bound_deferred (PR #3127#3178)
  • Use run_in_background in preference to preserve_fn (PR #3140)

Changes – Python 3 migration:

Bug Fixes:

  • synapse fails to start under Twisted >= 18.4 (PR #3157) Thanks to @Half-Shot!
  • Fix a class of logcontext leaks (PR #3170)
  • Fix a couple of logcontext leaks in unit tests (PR #3172)
  • Fix logcontext leak in media repo (PR #3174)
  • Escape label values in prometheus metrics (PR #3175#3186)
  • Fix ‘Unhandled Error’ logs with Twisted 18.4 (PR #3182) Thanks to @Half-Shot!
  • Fix logcontext leaks in rate limiter (PR #3183)
  • notifications: Convert next_token to string according to the spec (PR #3190) Thanks to @mujx!
  • nuke-room-from-db.sh: fix deletion from search table (PR #3194) Thanks to @rubo77!
  • add guard for None on purge_history api (PR #3160) Thanks to @krombel!

SECURITY UPDATE: Synapse 0.28.1

Hi all,

Many people will have noticed disruption in #matrix:matrix.org and #matrix-dev:matrix.org on Sunday, when a validation bug in Synapse was exploited which allowed a malicious event to be inserted into the room with ‘depth’ value that made the rooms temporarily unusable. Whilst a transient workaround was found at the time (thanks to /dev/ponies, kythyria and Po Shamil for the workaround and to Half-Shot for working on a proposed fix), we’re doing an urgent release of Synapse 0.28.1 to provide a temporary solution which will mitigate the attack across all rooms in upgraded servers and un-break affected ones.  Meanwhile we have a full long-term fix on the horizon (hopefully) later this week.

This vulnerability has already been exploited in the wild; please upgrade as soon as possible.

Synapse 0.28.1 is available from https://github.com/matrix-org/synapse/releases/tag/v0.28.1 as normal.

The ‘depth’ parameter is used primarily as a way for servers to signal the intended cosmetic order of their events within a room (particularly when the room’s message graph has gaps in it due to the server being offline, or due to users backfilling old disconnected chunks of conversation). This means that affected rooms may experience message ordering problems until a full long-term fix is provided, which we’re working on currently (and tentatively involves no longer trusting ‘depth’ information from servers).  For full details you can see the proposal documents for the temporary fix in 0.28.1 and the options for the imminent long-term fix.

We’d like to acknowledge jzk for identifying the vulnerability, and Max Dor for providing feedback on the fixes.

As a general reminder, Synapse is still beta (as is the Matrix spec) and the federation API particularly is still being debugged and refined and is pre-r0.0.0. For the benefit of the whole community, please disclose vulnerabilities and exploits responsibly by emailing [email protected] or DMing someone from +matrix:matrix.org. Thanks.

Changes in synapse v0.28.1 (2018-05-01)

SECURITY UPDATE

  • Clamp the allowed values of event depth received over federation to be [0, 2^63 – 1]. This mitigates an attack where malicious events injected with depth = 2^63 – 1 render rooms unusable. Depth is used to determine the cosmetic ordering of events within a room, and so the ordering of events in such a room will default to using stream_ordering rather than depth (topological_ordering). This is a temporary solution to mitigate abuse in the wild, whilst a long solution is being implemented to improve how the depth parameter is used.Full details at https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI
  • Pin Twisted to <18.4 until we stop using the private _OpenSSLECCurve API.

Synapse 0.28.0 Released!

Well now, today sees the release of Synapse 0.28.0!

This release is particularly exciting as it’s a major bump mainly thanks to lots and lots of contributions from the wider community – including support for running Synapse on PyPy (thanks Valodim) and lots of progress towards official Python3 support (thanks notafile)!! However, almost all the changes are under the hood (and some are quite major), so this is more a performance, bugfix and synapse internals release rather than adding many new APIs or features

As always, you can get it from https://github.com/matrix-org/synapse/releases/tag/v0.28.0 and thanks to everyone who tested the release candidates.

Changes in synapse v0.28.0 (2018-04-26)

Bug Fixes:

  • Fix quarantine media admin API and search reindex (PR #3130)
  • Fix media admin APIs (PR #3134)

Changes in synapse v0.28.0-rc1 (2018-04-24)

Minor performance improvement to federation sending and bug fixes.

(Note: This release does not include state resolutions discussed in matrix live)

Features:

  • Add metrics for event processing lag (PR #3090)
  • Add metrics for ResponseCache (PR #3092)

Changes:

  • Synapse on PyPy (PR #2760) Thanks to @Valodim!
  • move handling of auto_join_rooms to RegisterHandler (PR #2996) Thanks to @krombel!
  • Improve handling of SRV records for federation connections (PR #3016) Thanks to @silkeh!
  • Document the behaviour of ResponseCache (PR #3059)
  • Preparation for py3 (PR #3061#3073#3074#3075#3103#3104#3106#3107#3109#3110) Thanks to @NotAFile!
  • update prometheus dashboard to use new metric names (PR #3069) Thanks to @krombel!
  • use python3-compatible prints (PR #3074) Thanks to @NotAFile!
  • Send federation events concurrently (PR #3078)
  • Limit concurrent event sends for a room (PR #3079)
  • Improve R30 stat definition (PR #3086)
  • Send events to ASes concurrently (PR #3088)
  • Refactor ResponseCache usage (PR #3093)
  • Clarify that SRV may not point to a CNAME (PR #3100) Thanks to @silkeh!
  • Use str(e) instead of e.message (PR #3103) Thanks to @NotAFile!
  • Use six.itervalues in some places (PR #3106) Thanks to @NotAFile!
  • Refactor store.have_events (PR #3117)

Bug Fixes:

  • Return 401 for invalid access_token on logout (PR #2938) Thanks to @dklug!
  • Return a 404 rather than a 500 on rejoining empty rooms (PR #3080)
  • fix federation_domain_whitelist (PR #3099)
  • Avoid creating events with huge numbers of prev_events (PR #3113)
  • Reject events which have lots of prev_events (PR #3118)

 

Synapse 0.27.3 released!

Today we release Synapse 0.27.3!

Hot on the heels of 0.27.2, notable changes include API support for joining groups/communities as well as a major bug fix (#3082), that is particularly important for those upgrading for the first time in a while. Also new metrics and phone home stats. Phone home stats include better visibility of system usage so we can have a better idea of how synapse’s RAM and CPU is behaving in the wild. Also, recording the number of users on the server who have been using it for at least 30 days.

Phone home stats are entirely optional and can be enabled/disabled by setting “report_stats” in homeserver.yaml. Please consider enabling phone home stats if you currently have not done so – this data is really important to us in improving Matrix as a whole (and justifying future funding for Matrix.org).

As always, you can get it from https://github.com/matrix-org/synapse/releases/tag/v0.27.3 and thanks to everyone who tested the release candidates.

Changes in synapse v0.27.3 (2018-04-11)

Bug fixes:

  • URL quote path segments over federation (#3082)

Changes in synapse v0.27.3-rc2 (2018-04-09)

v0.27.3-rc1 used a stale version of the develop branch so the changelog overstates
the functionality. v0.27.3-rc2 is up to date, rc1 should be ignored.

Changes in synapse v0.27.3-rc1 (2018-04-09)

Notable changes include API support for joinability of groups. Also new metrics
and phone home stats. Phone home stats include better visibility of system usage
so we can tweak synpase to work better for all users rather than our own experience
with matrix.org. Also, recording ‘r30’ stat which is the measure we use to track
overal growth of the Matrix ecosystem. It is defined as:-

Counts the number of native 30 day retained users, defined as:-
* Users who have created their accounts more than 30 days
* Where last seen at most 30 days ago
* Where account creation and last_seen are > 30 days”

Features:

  • Add joinability for groups (PR #3045)
  • Implement group join API (PR #3046)
  • Add counter metrics for calculating state delta (PR #3033)
  • R30 stats (PR #3041)
  • Measure time it takes to calculate state group ID (PR #3043)
  • Add basic performance statistics to phone home (PR #3044)
  • Add response size metrics (PR #3071)
  • phone home cache size configurations (PR #3063)

Changes:

  • Add a blurb explaining the main synapse worker (PR #2886) Thanks to @turt2live!
  • Replace old style error catching with ‘as’ keyword (PR #3000) Thanks to @NotAFile!
  • Use .iter* to avoid copies in StateHandler (PR #3006)
  • Linearize calls to _generate_user_id (PR #3029)
  • Remove last usage of ujson (PR #3030)
  • Use simplejson throughout (PR #3048)
  • Use static JSONEncoders (PR #3049)
  • Remove uses of events.content (PR #3060)
  • Improve database cache performance (PR #3068)

Bug fixes:

  • Add room_id to the response of rooms/{roomId}/join (PR #2986) Thanks to @jplatte!
  • Fix replication after switch to simplejson (PR #3015)
  • Fix replication after switch to simplejson (PR #3015)
  • 404 correctly on missing paths via NoResource (PR #3022)
  • Fix error when claiming e2e keys from offline servers (PR #3034)
  • fix tests/storage/test_user_directory.py (PR #3042)
  • use PUT instead of POST for federating groups/m.join_policy (PR #3070) Thanks to @krombel!
  • postgres port script: fix state_groups_pkey error (PR #3072)

Synapse 0.27 released!

We released Synapse v0.27.2 today (the first stable release in the 0.27.x series) – it contains loads of work since Synapse v0.26 back in January.  The main highlights are:

  • All the perf improvements which we’ve been landing as we race to keep the matrix.org homeserver in the face of ever-expanding traffic levels over the last few months
  • Support for custom storage providers for media repository.
  • Ability to limit the email addresses allowed to register on your HS, and ability to limit the homeservers your homeserver is allowed to federate with
  • All new purge API – letting you purge history by date as well as by event (and having a nice new async way of doing it)
  • Make search work again!!! (by switching from GIST to GIN indexes)

And a few release notes worth calling out:

  • The common case for running Synapse is not to run separate workers, but for those that do, be aware that synctl no longer starts the main synapse when using -a option with workers. A new worker file should be added with worker_app: synapse.app.homeserver.
  • This release also begins the process of renaming a number of the metrics reported to prometheus. See docs/metrics-howto.rst 
    Note that the v0.28.0 release will remove the deprecated metric names.

As always, you can get it from https://github.com/matrix-org/synapse/releases/tag/v0.27.2

 

thanks for flying Matrix!

Changes in synapse v0.27.2 (2018-03-26)

Bug fixes:

  • Fix bug which broke TCP replication between workers (PR #3015)

Changes in synapse v0.27.1 (2018-03-26)

Meta release as v0.27.0 temporarily pointed to the wrong commit

Changes in synapse v0.27.0 (2018-03-26)

No changes since v0.27.0-rc2

Changes in synapse v0.27.0-rc2 (2018-03-19)

Pulls in v0.26.1

Bug fixes:

  • Fix bug introduced in v0.27.0-rc1 that causes much increased memory usage in state cache (PR #3005)

Changes in synapse v0.27.0-rc1 (2018-03-14)

The common case for running Synapse is not to run separate workers, but for those that do, be aware that synctl no longer starts the main synapse when using -a option with workers. A new worker file should be added with worker_app: synapse.app.homeserver.

This release also begins the process of renaming a number of the metrics
reported to prometheus. See docs/metrics-howto.rst <docs/metrics-howto.rst#block-and-response-metrics-renamed-for-0-27-0>_.
Note that the v0.28.0 release will remove the deprecated metric names.

Features:

  • Add ability for ASes to override message send time (PR #2754)
  • Add support for custom storage providers for media repository (PR #2867#2777#2783#2789#2791#2804#2812#2814#2857#2868#2767)
  • Add purge API features, see docs/admin_api/purge_history_api.rst <docs/admin_api/purge_history_api.rst>_ for full details (PR #2858#2867#2882#2946#2962#2943)
  • Add support for whitelisting 3PIDs that users can register. (PR #2813)
  • Add /room/{id}/event/{id} API (PR #2766)
  • Add an admin API to get all the media in a room (PR #2818) Thanks to @turt2live!
  • Add federation_domain_whitelist option (PR #2820#2821)

Changes:

Bug fixes:

  • Fix broken ldap_config config option (PR #2683) Thanks to @seckrv!
  • Fix error message when user is not allowed to unban (PR #2761) Thanks to @turt2live!
  • Fix publicised groups GET API (singular) over federation (PR #2772)
  • Fix user directory when using user_directory_search_all_users config option (PR #2803#2831)
  • Fix error on /publicRooms when no rooms exist (PR #2827)
  • Fix bug in quarantine_media (PR #2837)
  • Fix url_previews when no Content-Type is returned from URL (PR #2845)
  • Fix rare race in sync API when joining room (PR #2944)
  • Fix slow event search, switch back from GIST to GIN indexes (PR #2769#2848)