Matrix (Synapse/Element) - Package Updates

girish

This topic is to track Synapse/Element package updates.

Please open issues in a separate topic instead of replying here.

girish

Riot has been updated to 1.6.0. Big news: Cross-signing and E2EE by default for DMs and private rooms enabled.

girish

Synapse [1.1.0]

• Update Synapse to 1.13.0
• Full changelog
• Set Referrer-Policy header to no-referrer on media downloads. (#7009)
• Admin API POST /_synapse/admin/v1/join/<roomIdOrAlias> to join users to a room like auto_join_rooms for creation of users. (#7051)
• Add options to prevent users from changing their profile or associated 3PIDs. (#7096)
• Allow server admins to define and enforce a password policy (MSC2000). (#7118)
• Improve the support for SSO authentication on the login fallback page. (#7152, #7235)
• Always whitelist the login fallback in the SSO configuration if public_baseurl is set. (#7153)
• Admin users are no longer required to be in a room to create an alias for it. (#7191)
• Require admin privileges to enable room encryption by default. This does not affect existing rooms. (#7230)

girish

Riot [1.1.1]

• Update riot to 1.6.1
• Full changelog
• Upgrade to React SDK 2.6.0 and JS SDK 6.1.0

girish

Synapse [1.2.0]

• Update Synapse to 1.14.0
• Full changelog

girish

Riot [1.1.3]

• Update riot to 1.6.3
• Full changelog
• Fixes a vulnerability in single sign-on (SSO) deployments

girish

Riot [1.1.4]

• Update riot to 1.6.4
• Full changelog

girish

Riot [1.2.0]

• Remove matrix.org welcome bot - https://github.com/vector-im/riot-web/pull/12894

girish

Matrix [1.3.0]

• Add optional sso support

girish

Update to 1.15.0 results in a crash in LDAP. I have reported this upstream https://github.com/matrix-org/matrix-synapse-ldap3/issues/92

girish

Upstream has made a fix for 1.15.0 - https://github.com/matrix-org/synapse/pull/7684

girish

Riot [1.2.1]

• Update riot to 1.6.5
• Full changelog
• Upgrade to JS SDK 6.2.2 and React SDK 2.7.2

girish

Synapse [1.4.0]

• Update Synapse to 1.15.1
• Full changelog
• Advertise support for Client-Server API r0.6.0 and remove related unstable feature flags. (#6585)
• Add an option to disable autojoining rooms for guest accounts. (#6637)
• Add admin APIs to allow server admins to manage users' devices. Contributed by @dklimpel. (#7481)
• Add support for generating thumbnails for WebP images. Previously, users would see an empty box instead of preview image. Contributed by @WGH-. (#7586)
• Support the standardized m.login.sso user-interactive authentication flow. (#7630)

girish

Riot [1.2.2]

• Update riot to 1.6.6
• Full changelog
• Upgrade to JS SDK 7.0.0 and React SDK 2.8.0

girish

[1.3.0]

• Update riot to 1.6.7
• Full changelog
• Upgrade to React SDK 2.8.1

girish

[1.5.0]

• Update Synapse to 1.15.2
• Full changelog
• A malicious homeserver could force Synapse to reset the state in a room to a small subset of the correct state. This affects all Synapse deployments which federate with untrusted servers. (96e9afe6)
• HTML pages served via Synapse were vulnerable to clickjacking attacks. This predominantly affects homeservers with single-sign-on enabled, but all server administrators are encouraged to upgrade. (ea26e9a9)

This contains important security fixes. Please update immediately

girish

Riot [1.3.1]

• Update riot to 1.6.8
• Full changelog
• Upgrade to JS SDK 7.1.0 and React SDK 2.9.0

girish

Synapse [1.6.0]

• Update Synapse to 1.16.0
• Full changelog
• Add an option to enable encryption by default for new rooms. (#7639)
• Add support for running multiple media repository workers. See docs/workers.md for instructions. (#7706)
• Media can now be marked as safe from quarantined. (#7718)
• Expand the configuration options for auto-join rooms. (#7763)

girish

Synapse [1.6.1]

• Update Synapse to 1.16.1
• Full changelog
• Drop table local_rejections_stream which was incorrectly added in Synapse 1.16.0. (#7816, b1beb3ff5)

girish

Synapse [1.7.0]

• Update Synapse to 1.17.0
• Full changelog
• Fix inconsistent handling of upper and lower case in email addresses when used as identifiers for login, etc. Contributed by @dklimpel. (#7021)
• Fix "Tried to close a non-active scope!" error messages when opentracing is enabled. (#7732)
• Fix incorrect error message when database CTYPE was set incorrectly. (#7760)
• Fix to not ignore set_tweak actions in Push Rules that have no value, as permitted by the specification. (#7766)
• Fix synctl to handle empty config files correctly. Contributed by @kotovalexarian. (#7779)
• Fixes a long standing bug in worker mode where worker information was saved in the devices table instead of the original IP address and user agent. (#7797)
• Fix 'stuck invites' which happen when we are unable to reject a room invite received over federation. (#7804, #7809, #7810)

girish

Element [1.4.0]

• Update Element to 1.7.0
• Full changelog
• App name changed from Riot to Element

girish

Element [1.4.1]

• Update Element to 1.7.1
• Full changelog
• Run pngcrush on vector-icons
• Use the right protocol for SSO URLs
• Fix mstile-310x150 by renaming it

girish

[1.4.2]

• Update Element to 1.7.2
• Full changelog
• Upgrade to React SDK 3.0.0 and JS SDK 8.0.0
• Capitalize letters #14566
• Riot to Element #14581

girish

Synapse [1.8.0]

• Update Synapse to 1.18.0
• Full changelog
• Include room states on invite events that are sent to application services. Contributed by @Sorunome. (#6455)
• Add delete room admin endpoint (POST /_synapse/admin/v1/rooms/<room_id>/delete). Contributed by @dklimpel. (#7613, #7953)
• Add experimental support for running multiple federation sender processes. (#7798)
• Add the option to validate the iss and aud claims for JWT logins. (#7827)
• Add support for handling registration requests across multiple client reader workers. (#7830)
• Add an admin API to list the users in a room. Contributed by Awesome Technologies Innovationslabor GmbH. (#7842)
• Allow email subjects to be customised through Synapse's configuration. (#7846)
• Add the ability to re-activate an account from the admin API. (#7847, #7908)
• Support oEmbed for media previews. (#7920)

girish

Element [1.4.3]

• Update Element to 1.7.3
• Full changelog
• Element Web 1.7.3 fixes an issue where replying to a specially formatted message would make it seem like the replier said something they did not. Thanks to Sorunome for responsibly disclosing this via Matrix's Security Disclosure Policy.
  Element Web 1.7.3 fixes an issue where an unexpected language ID in a code block could cause Element to crash. Thanks to SakiiR for responsibly disclosing this via Matrix's Security Disclosure Policy.
• Upgrade to React SDK 3.1.0 and JS SDK 8.0.1

girish

Synapse [1.9.0]

• Update Synapse to 1.19.0
• Full changelog
• Add option to allow server admins to join rooms which fail complexity checks. Contributed by @lugino-emeritus. (#7902)
• Add an option to purge room or not with delete room admin endpoint (POST /_synapse/admin/v1/rooms/<room_id>/delete). Contributed by @dklimpel. (#7964)
• Add rate limiting to users joining rooms. (#8008)
• Add a /health endpoint to every configured HTTP listener that can be used as a health check endpoint by load balancers. (#8048)
• Allow login to be blocked based on the values of SAML attributes. (#8052)
• Allow guest access to the GET /_matrix/client/r0/rooms/{room_id}/members endpoint, according to MSC2689. Contributed by Awesome Technologies Innovationslabor GmbH. (#7314)

girish

Element [1.4.4]

• Update Element to 1.7.4
• Full changelog
• Upgrade to React SDK 3.2.0 and JS SDK 8.1.0

girish

Synapse [1.9.1]

• Update Synapse to 1.19.1
• Full changelog
• Fix a bug introduced in v1.19.0 where appservices with ratelimiting disabled would still be ratelimited when joining rooms. (#8139)
• Fix a bug introduced in v1.19.0 that would cause e.g. profile updates to fail due to incorrect application of rate limits on join requests. (#8153)

girish

Element [1.4.5]

• Update Element to 1.7.5
• Full changelog
• Element Web 1.7.5 fixes an issue where encrypted state events could break incoming call handling.

girish

[1.4.6]

• Update Element to 1.7.6
• Full changelog
• Upgrade to React SDK 3.4.1

girish

[1.10.0]

• Update Synapse to 1.19.3
• Full changelog
• Partially mitigate bug where newly joined servers couldn't get past events in a room when there is a malformed event. (#8350)
• Make index.html customizable

girish

[1.11.0]

• Update Synapse to 1.20.1
• Full changelog
• Add an endpoint to query your shared rooms with another user as an implementation of MSC2666. (#7785)
• Iteratively encode JSON to avoid blocking the reactor. (#8013, #8116)
• Add support for shadow-banning users (ignoring any message send requests). (#8034, #8092, #8095, #8142, #8152, #8157, #8158, #8176)
• Use the default template file when its equivalent is not found in a custom template directory. (#8037, #8107, #8252)
• Add unread messages count to sync responses, as specified in MSC2654. (#8059, #8254, #8270, #8274)
• Optimise /federation/v1/user/devices/ API by only returning devices with encryption keys. (#8198)

girish

[1.12.0]

• Update Synapse to 1.21.0
• Full changelog
• Require the user to confirm that their password should be reset after clicking the email confirmation link. (#8004)
• Add an admin API GET /_synapse/admin/v1/event_reports to read entries of table event_reports. Contributed by @dklimpel. (#8217)
• Consolidate the SSO error template across all configuration. (#8248, #8405)
• Add a configuration option to specify a whitelist of domains that a user can be redirected to after validating their email or phone number. (#8275, #8417)
• Add experimental support for sharding event persister. (#8294, #8387, #8396, #8419)
• Add the room topic and avatar to the room details admin API. (#8305)
• Add an admin API for querying rooms where a user is a member. Contributed by @dklimpel. (#8306)

girish

Element [1.4.7]

• Update Element to 1.7.9
• Full changelog
• Upgrade to React SDK 3.6.0 and JS SDK 8.5.0
• Add /app/data/custom as a location for custom assets

girish

[1.12.1]

• Updat Synapse to 1.21.1
• Full changelog

girish

[1.12.2]

• Update Synapse to 1.21.2
• Full changelog
• Security: HTML pages served via Synapse were vulnerable to cross-site scripting (XSS) attacks. All server administrators are encouraged to upgrade
• Fix rare bug where sending an event would fail due to a racey assertion. (#8530)

girish

[1.4.8]

• Update Element to 1.7.10
• Full changelog
• Adjust for new widget messaging APIs #15497
• Upgrade to React SDK 3.6.1

girish

[1.4.9]

• Update Element to 1.7.11
• Full changelog
• Upgrade to React SDK 3.7.0 and JS SDK 9.0.0

girish

Synapse [1.13.0]

• Update Synapse to 1.22.0
• Full changelog
• Add ability for ThirdPartyEventRules modules to query and manipulate whether a room is in the public rooms directory. (#8292, #8467)
• Add support for olm fallback keys (MSC2732). (#8312, #8501)
• Add support for running background tasks in a separate worker process. (#8369, #8458, #8489, #8513, #8544, #8599)
• Add support for device dehydration (MSC2697). (#8380)
• Add support for MSC2409, which allows sending typing, read receipts, and presence events to appservices. (#8437, #8590)
• Change default room version to "6", per MSC2788. (#8461)
• Add the ability to send non-membership events into a room via the ModuleApi. (#8479)
• Increase default upload size limit from 10M to 50M. Contributed by @Akkowicz. (#8502)
• Add support for modifying event content in ThirdPartyRules modules. (#8535, #8564)

girish

Element [1.4.10]

• Update Element to 1.7.12
• Full changelog

girish

Synapse [1.13.1]

• Update Synapse to 1.22.1
• Full changelog
• Fix a bug where an appservice may not be forwarded events for a room it was recently invited to. Broke in v1.22.0. (#8676)
• Fix Object of type frozendict is not JSON serializable exceptions when using third-party event rules. Broke in v1.22.0. (#8678)

girish

[1.4.11]

• Update Element to 1.7.13
• Full changelog
• Upgrade to React SDK 3.8.0 and JS SDK 9.1.0

girish

Synapse [1.14.0]

• Update Synapse to 1.23.0
• Full changelog
• Add a push rule that highlights when a jitsi conference is created in a room. (#8286)
• Add an admin api to delete a single file or files that were not used for a defined time from server. Contributed by @dklimpel. (#8519)
• Split admin API for reported events (GET /_synapse/admin/v1/event_reports) into detail and list endpoints. This is a breaking change to #8217 which was introduced in Synapse v1.21.0. Those who already use this API should check their scripts. Contributed by @dklimpel. (#8539)
• Support generating structured logs via the standard logging configuration. (#8607, #8685)
• Add an admin API to allow server admins to list users' pushers. Contributed by @dklimpel. (#8610, #8689)
• Add an admin API GET /_synapse/admin/v1/users/<user_id>/media to get information about uploaded media. Contributed by @dklimpel. (#8647)
• Add an admin API for local user media statistics. Contributed by @dklimpel. (#8700)
• Add displayname to Shared-Secret Registration for admins. (#8722)

girish

Element [1.4.12]

• Update Element to 1.7.14
• Full changelog
• Upgrade to React SDK 3.9.0 and JS SDK 9.2.0

girish

Element [1.4.13]

• Update Element to 1.7.15
• Full changelog
• Upgrade to React SDK 3.10.0 and JS SDK 9.3.0

girish

Synapse [1.14.1]

• Update Synapse to 1.23.1
• Full changelog
• There is a denial of service attack (CVE-2020-26257) against the federation APIs in which future events will not be correctly sent to other servers over federation. This affects all servers that participate in open federation. (Fixed in #8776).

girish

[1.15.0]

• Update Synapse to 1.24.0
• Full changelog
• Add a maximum version for pysaml2 on Python 3.5

girish

Riot [1.4.14]

• Update Elemen to 1.7.16
• Full changelog

girish

[1.16.0]

• Update Synapse to 1.25.0
• Full changelog
• Add an admin API that lets server admins get power in rooms in which local users have power. (#8756)
• Add optional HTTP authentication to replication endpoints. (#8853)
• Improve the error messages printed as a result of configuration problems for extension modules. (#8874)
• Add the number of local devices to Room Details Admin API. Contributed by @dklimpel. (#8886)
• Add X-Robots-Tag header to stop web crawlers from indexing media. Contributed by Aaron Raimist. (#8887)
• Spam-checkers may now define their methods as async. (#8890)
• Add support for allowing users to pick their own user ID during a single-sign-on login. (#8897, #8900, #8911, #8938, #8941, #8942, #8951)
• Add an email.invite_client_location configuration option to send a web client location to the invite endpoint on the identity server which allows customisation of the email template. (#8930)
• The search term in the list room and list user Admin APIs is now treated as case-insensitive. (#8931)
• Apply an IP range blacklist to push and key revocation requests. (#8821, #8870, #8954)
• Add an option to allow re-use of user-interactive authentication sessions for a period of time. (#8970)
• Allow running the redact endpoint on workers. (#8994)

girish

Element [1.4.15]

• Update Element to 1.7.17
• Full changelog
• Upgrade to React SDK 3.12.0 and JS SDK 9.5.0

girish

Synapse [1.17.0]

• Update Synapse to 1.26.0
• Full changelog
• During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP. (#9091)
• Give the public_baseurl a default value, if it is not explicitly set in the configuration file. (#9159)
• Improve performance when calculating ignored users in large rooms. (#9024)
• Implement MSC2176 in an experimental room version. (#8984)
• Add an admin API for protecting local media from quarantine. (#9086)
• Remove a user's avatar URL and display name when deactivated with the Admin API. (#8932)

girish

Element [1.4.16]

• Update Element to 1.7.18
• Full changelog

girish

Element [1.4.17]

• Update Element to 1.7.19
• Full changelog

girish

Element [1.5.0]

• Update Element to 1.7.20
• Full changelog
• Use base image v3

girish

Element [1.5.1]

• Update Element to 1.7.21
• Full changelog
• Upgrade to React SDK 3.14.0 and JS SDK 9.7.0

girish

Synapse [1.18.0]

• Update Synapse to 1.27.0
• Use base image v3
• Update python to 3.8
• Full changelog
• Add an admin API for getting and deleting forward extremities for a room. (#9062)
• Add an admin API for retrieving the current room state of a room. (#9168)
• Add an admin API endpoint for shadow-banning users. (#9209)

girish

Synapse [1.19.0]

• Update Synapse to 1.28.0
• Full changelog
• New admin API to get the context of an event: /_synapse/admin/rooms/{roomId}/context/{eventId}. (#9150)
• Further improvements to the user experience of registration via single sign-on. (#9300, #9301)
• Add hook to spam checker modules that allow checking file uploads and remote downloads. (#9311)
• Add support for receiving OpenID Connect authentication responses via form POSTs rather than GETs. (#9376)
• Add the shadow-banning status to the admin API for user info. (#9400)

girish

Element [1.5.2]

• Update Element to 1.7.22
• Full changelog
• Fixes a severity issue (CVE-2021-21320) where the user content sandbox can be abused to trick users into opening unexpected documents

girish

Synapse [1.20.0]

• Update Synapse to 1.29.0
• Full changelog
• Add rate limiters to cross-user key sharing requests. (#8957)
• Add order_by to the admin API GET /_synapse/admin/v1/users/<user_id>/media. Contributed by @dklimpel. (#8978)
• Add some configuration settings to make users' profile data more private. (#9203)
• The no_proxy and NO_PROXY environment variables are now respected in proxied HTTP clients with the lowercase form taking precedence if both are present. Additionally, the lowercase https_proxy environment variable is now respected in proxied HTTP clients on top of existing support for the uppercase HTTPS_PROXY form and takes precedence if both are present. Contributed by Timothy Leung. (#9372)
• Add a configuration option, user_directory.prefer_local_users, which when enabled will make it more likely for users on the same server as you to appear above other users. (#9383, #9385)
• Add support for regenerating thumbnails if they have been deleted but the original image is still stored. (#9438)

girish

[1.21.0]

• Update Synapse to 1.30.0
• Full changelog
• Add prometheus metrics for number of users successfully registering and logging in. (#9510, #9511, #9573)
• Add synapse_federation_last_sent_pdu_time and synapse_federation_last_received_pdu_time prometheus metrics, which monitor federation delays by reporting the timestamps of messages sent and received to a set of remote servers. (#9540)
• Add support for generating JSON Web Tokens dynamically for use as OIDC client secrets. (#9549)
• Optimise handling of incomplete room history for incoming federation. (#9601)
• Finalise support for allowing clients to pick an SSO Identity Provider (MSC2858). (#9617)
• Tell spam checker modules about the SSO IdP a user registered through if one was used. (#9626)