Merge branch 'release-v0.28.1' into develop

This commit is contained in:
Matthew Hodgson 2018-05-01 19:05:03 +01:00
commit 8ae7096958

View File

@ -4,8 +4,8 @@ Changes in synapse v0.28.1 (2018-05-01)
SECURITY UPDATE SECURITY UPDATE
* Clamp the allowed values of event depth received over federation to be * Clamp the allowed values of event depth received over federation to be
[0, 2**63 - 1]. This mitigates an attack where malicious events [0, 2^63 - 1]. This mitigates an attack where malicious events
injected with depth = 2**63 - 1 render rooms unusable. Depth is used to injected with depth = 2^63 - 1 render rooms unusable. Depth is used to
determine the cosmetic ordering of events within a room, and so the ordering determine the cosmetic ordering of events within a room, and so the ordering
of events in such a room will default to using stream_ordering rather than depth of events in such a room will default to using stream_ordering rather than depth
(topological_ordering). (topological_ordering).
@ -14,7 +14,7 @@ SECURITY UPDATE
is being implemented to improve how the depth parameter is used. is being implemented to improve how the depth parameter is used.
Full details at Full details at
https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI/edit# https://docs.google.com/document/d/1I3fi2S-XnpO45qrpCsowZv8P8dHcNZ4fsBsbOW7KABI
* Pin Twisted to <18.4 until we stop using the private _OpenSSLECCurve API. * Pin Twisted to <18.4 until we stop using the private _OpenSSLECCurve API.