automation: Update matrix-synapse Docker tag to v1.41.1
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| matrix-synapse | patch |
1.41.0 -> 1.41.1
|
Release Notes
matrix-org/synapse
v1.41.1
===========================
Due to the two security issues highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.
Security advisory
The following issues are fixed in v1.41.1.
-
GHSA-3x4c-pq33-4w3q / CVE-2021-39164: Enumerating a private room's list of members and their display names.
If an unauthorized user both knows the Room ID of a private room and that room's history visibility is set to
shared, then they may be able to enumerate the room's members, including their display names.The unauthorized user must be on the same homeserver as a user who is a member of the target room.
Fixed by 52c7a51cf.
-
GHSA-jj53-8fmw-f2w2 / CVE-2021-39163: Disclosing a private room's name, avatar, topic, and number of members.
If an unauthorized user knows the Room ID of a private room, then its name, avatar, topic, and number of members may be disclosed through Group / Community features.
The unauthorized user must be on the same homeserver as a user who is a member of the target room, and their homeserver must allow non-administrators to create groups (
enable_group_creationin the Synapse configuration; off by default).Fixed by cb35df940a, #10723.
Bugfixes
- Fix a regression introduced in Synapse 1.41 which broke email transmission on systems using older versions of the Twisted library. (#10713)
Configuration
-
If you want to rebase/retry this MR, check this box.
This MR has been generated by Renovate Bot. The local configuration can be found in the local Renovate Bot repository.