diff --git a/CHANGES.md b/CHANGES.md
index 523cdb115..f4a3ab71c 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,9 @@
+Synapse 1.0.0rc3 (2019-06-10)
+=============================
+
+Security: Fix authentication bug introduced in 1.0.0rc1. Please upgrade to rc3 immediately
+
+
 Synapse 1.0.0rc2 (2019-06-10)
 =============================
 
diff --git a/changelog.d/5418.bugfix b/changelog.d/5418.bugfix
new file mode 100644
index 000000000..3fd4d2a88
--- /dev/null
+++ b/changelog.d/5418.bugfix
@@ -0,0 +1 @@
+Fix bug where attempting to send transactions with large number of EDUs can fail.
diff --git a/synapse/__init__.py b/synapse/__init__.py
index 8dc07fe73..9c75a0a27 100644
--- a/synapse/__init__.py
+++ b/synapse/__init__.py
@@ -27,4 +27,4 @@ try:
 except ImportError:
     pass
 
-__version__ = "1.0.0rc2"
+__version__ = "1.0.0rc3"
diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 7f8ddc99c..a0cf37a9f 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -479,6 +479,7 @@ class AuthHandler(BaseHandler):
                 medium,
                 threepid_creds["client_secret"],
                 sid=threepid_creds["sid"],
+                validated=True,
             )
 
             threepid = {
diff --git a/synapse/storage/deviceinbox.py b/synapse/storage/deviceinbox.py
index 9b0a99cb4..4ea0deea4 100644
--- a/synapse/storage/deviceinbox.py
+++ b/synapse/storage/deviceinbox.py
@@ -138,6 +138,10 @@ class DeviceInboxWorkerStore(SQLBaseStore):
         if not has_changed or last_stream_id == current_stream_id:
             return defer.succeed(([], current_stream_id))
 
+        if limit <= 0:
+            # This can happen if we run out of room for EDUs in the transaction.
+            return defer.succeed(([], last_stream_id))
+
         def get_new_messages_for_remote_destination_txn(txn):
             sql = (
                 "SELECT stream_id, messages_json FROM device_federation_outbox"
diff --git a/synapse/storage/registration.py b/synapse/storage/registration.py
index 9b41cbd75..1dd1182e8 100644
--- a/synapse/storage/registration.py
+++ b/synapse/storage/registration.py
@@ -998,7 +998,7 @@ class RegistrationStore(
         client_secret,
         address=None,
         sid=None,
-        validated=None,
+        validated=True,
     ):
         """Gets a session_id and last_send_attempt (if available) for a
         client_secret/medium/(address|session_id) combo