Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package matrix-synapse for openSUSE:Factory checked in at 2024-07-31 13:30:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/matrix-synapse (Old) and /work/SRC/openSUSE:Factory/.matrix-synapse.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "matrix-synapse" Wed Jul 31 13:30:11 2024 rev:105 rq:1190513 version:1.112.0 Changes: -------- --- /work/SRC/openSUSE:Factory/matrix-synapse/matrix-synapse.changes 2024-07-17 15:15:09.898098228 +0200 +++ /work/SRC/openSUSE:Factory/.matrix-synapse.new.7232/matrix-synapse.changes 2024-07-31 13:30:38.239113801 +0200 @@ -1,0 +2,115 @@ +Tue Jul 30 17:07:03 UTC 2024 - Marcus Rueckert <mrueckert@suse.de> + +- Update to 1.112.0 (boo#1228596) + + The actual security fix will be in the python3x-Twisted package: + + This security release is to update our locked dependency on + Twisted to 24.7.0rc1, which includes a security fix for + CVE-2024-41671 / GHSA-c8m8-j448-xjx7: Disordered HTTP pipeline + response in twisted.web, again. + + Note that this security fix is also available as Synapse 1.111.1, + which does not include the rest of the changes in Synapse + 1.112.0. + + This issue means that, if multiple HTTP requests are pipelined in + the same TCP connection, Synapse can send responses to the wrong + HTTP request. If a reverse proxy was configured to use HTTP + pipelining, this could result in responses being sent to the + wrong user, severely harming confidentiality. + + With that said, despite being a high severity issue, we consider + it unlikely that Synapse installations will be affected. The use + of HTTP pipelining in this fashion would cause worse performance + for clients (request-response latencies would be increased as + users' responses would be artificially blocked behind other + users' slow requests). Further, Nginx and Haproxy, two common + reverse proxies, do not appear to support configuring their + upstreams to use HTTP pipelining and thus would not be affected. + For both of these reasons, we consider it unlikely that a Synapse + deployment would be set up in such a configuration. + + Despite that, we cannot rule out that some installations may + exist with this unusual setup and so we are releasing this + security update today. + + pip users: Note that by default, upgrading Synapse using pip will + not automatically upgrade Twisted. Please manually install the + new version of Twisted using pip install Twisted==24.7.0rc1. Note + also that even the --upgrade-strategy=eager flag to pip install + -U matrix-synapse will not upgrade Twisted to a patched version + because it is only a release candidate at this time. + + - Features + - Add to-device extension support to experimental MSC3575 + Sliding Sync /sync endpoint. (#17416) + - Populate name/avatar fields in experimental MSC3575 Sliding + Sync /sync endpoint. (#17418) + - Populate heroes and room summary fields (joined_count, + invited_count) in experimental MSC3575 Sliding Sync /sync + endpoint. (#17419) + - Populate is_dm room field in experimental MSC3575 Sliding + Sync /sync endpoint. (#17429) + - Add room subscriptions to experimental MSC3575 Sliding Sync + /sync endpoint. (#17432) + - Prepare for authenticated media freeze. (#17433) + - Add E2EE extension support to experimental MSC3575 Sliding + Sync /sync endpoint. (#17454) + - Bugfixes + - Add configurable option to always include offline users in + presence sync results. Contributed by @Michael-Hollister. + (#17231) + - Fix bug in experimental MSC3575 Sliding Sync /sync endpoint + when using room type filters and the user has one or more + remote invites. (#17434) + - Order heroes by stream_ordering as the Matrix specification + states (applies to /sync). (#17435) + - Fix rare bug where /sync would break for a user when using + workers with multiple stream writers. (#17438) + - Improved Documentation + - Update the readme image to have a white background, so that + it is readable in dark mode. (#17387) + - Add Red Hat Enterprise Linux and Rocky Linux 8 and 9 + installation instructions. (#17423) + - Improve documentation for the + default_power_level_content_override config option. (#17451) + - Internal Changes + - Make sure we always use the right logic for enabling the + media repo. (#17424) + - Fix argument documentation for method + RateLimiter.record_action. (#17426) + - Reduce volume of 'Waiting for current token' logs, which were + introduced in v1.109.0. (#17428) + - Limit concurrent remote downloads to 6 per IP address, and + decrement remote downloads without a content-length from the + ratelimiter after the download is complete. (#17439) + - Remove unnecessary call to resume producing in fake channel. + (#17449) + - Update experimental MSC3575 Sliding Sync /sync endpoint to + bump room when it is created. (#17453) + - Speed up generating sliding sync responses. (#17458) + - Add cache to get_rooms_for_local_user_where_membership_is to + speed up sliding sync. (#17460) + - Speed up fetching room keys from backup. (#17461) + - Speed up sorting of the room list in sliding sync. (#17468) + - Implement handling of $ME as a state key in sliding sync. + (#17469) + - Updates to locked dependencies + - Bump bytes from 1.6.0 to 1.6.1. (#17441) + - Bump hiredis from 2.3.2 to 3.0.0. (#17464) + - Bump jsonschema from 4.22.0 to 4.23.0. (#17444) + - Bump matrix-org/done-action from 2 to 3. (#17440) + - Bump mypy from 1.9.0 to 1.10.1. (#17445) + - Bump pyopenssl from 24.1.0 to 24.2.1. (#17465) + - Bump ruff from 0.5.0 to 0.5.4. (#17466) + - Bump sentry-sdk from 2.6.0 to 2.8.0. (#17456) + - Bump sentry-sdk from 2.8.0 to 2.10.0. (#17467) + - Bump setuptools from 67.6.0 to 70.0.0. (#17448) + - Bump twine from 5.1.0 to 5.1.1. (#17443) + - Bump types-jsonschema from 4.22.0.20240610 to + 4.23.0.20240712. (#17446) + - Bump ulid from 1.1.2 to 1.1.3. (#17442) + - Bump zipp from 3.15.0 to 3.19.1. (#17427) + +------------------------------------------------------------------- Old: ---- matrix-synapse-1.111.0.obscpio New: ---- matrix-synapse-1.112.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ matrix-synapse-test.spec ++++++ --- /var/tmp/diff_new_pack.yVH2W3/_old 2024-07-31 13:30:39.531166863 +0200 +++ /var/tmp/diff_new_pack.yVH2W3/_new 2024-07-31 13:30:39.531166863 +0200 @@ -27,7 +27,7 @@ %define pkgname matrix-synapse Name: %{pkgname}-test -Version: 1.111.0 +Version: 1.112.0 Release: 0 Summary: Test package for %{pkgname} License: AGPL-3.0-or-later ++++++ matrix-synapse.spec ++++++ --- /var/tmp/diff_new_pack.yVH2W3/_old 2024-07-31 13:30:39.559168012 +0200 +++ /var/tmp/diff_new_pack.yVH2W3/_new 2024-07-31 13:30:39.559168012 +0200 @@ -21,8 +21,7 @@ # NOTE: Keep this is in the same order as pyproject.toml. %if %{with use_poetry_for_dependencies} %global Jinja2_version 3.1.4 -# TODO: 10.4.0 -%global Pillow_version 10.3.0 +%global Pillow_version 10.4.0 %global PyYAML_version 6.0.1 %global attrs_version 23.2.0 %global bcrypt_version 4.1.3 @@ -42,6 +41,7 @@ %global phonenumbers_version 8.13.39 %global prometheus_client_version 0.20.0 %global psutil_version 2.0.0 +# todo: 24.2.1 %global pyOpenSSL_version 24.1.0 %global pyasn1_version 0.6.0 %global pyasn1_modules_version 0.3.0 @@ -60,10 +60,11 @@ %global pysaml2_version 7.3.1 %global Authlib_version 1.3.1 %global lxml_version 5.2.2 -%global sentry_sdk_version 2.6.0 +%global sentry_sdk_version 2.10.0 %global PyJWT_version 2.6.0 %global jaeger_client_version 4.8.0 %global opentracing_version 2.4.0 +# todo: 3.0.0 %global hiredis_version 2.3.2 %global txredisapi_version 1.4.10 %global Pympler_version 1.0.1 @@ -153,7 +154,7 @@ %define pkgname matrix-synapse %define eggname matrix_synapse Name: %{pkgname} -Version: 1.111.0 +Version: 1.112.0 Release: 0 Summary: Matrix protocol reference homeserver License: AGPL-3.0-or-later ++++++ _service ++++++ --- /var/tmp/diff_new_pack.yVH2W3/_old 2024-07-31 13:30:39.615170312 +0200 +++ /var/tmp/diff_new_pack.yVH2W3/_new 2024-07-31 13:30:39.619170477 +0200 @@ -4,11 +4,11 @@ <param name="versionformat">@PARENT_TAG@</param> <param name="url">https://github.com/element-hq/synapse.git</param> <param name="scm">git</param> - <param name="revision">v1.111.0</param> + <param name="revision">v1.112.0</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> <!-- - <param name="revision">v1.112.0rc1</param> + <param name="revision">v1.113.0rc1</param> <param name="versionrewrite-pattern">v([\.\d]+)(rc.*)</param> <param name="versionrewrite-replacement">\1~\2</param> --> ++++++ matrix-synapse-1.111.0.obscpio -> matrix-synapse-1.112.0.obscpio ++++++ /work/SRC/openSUSE:Factory/matrix-synapse/matrix-synapse-1.111.0.obscpio /work/SRC/openSUSE:Factory/.matrix-synapse.new.7232/matrix-synapse-1.112.0.obscpio differ: char 49, line 1 ++++++ matrix-synapse.obsinfo ++++++ --- /var/tmp/diff_new_pack.yVH2W3/_old 2024-07-31 13:30:39.671172612 +0200 +++ /var/tmp/diff_new_pack.yVH2W3/_new 2024-07-31 13:30:39.675172777 +0200 @@ -1,5 +1,5 @@ name: matrix-synapse -version: 1.111.0 -mtime: 1721127326 -commit: 574aa53126c238148189f80b37b2ad14052cc429 +version: 1.112.0 +mtime: 1722356649 +commit: 37f9876ccfdd9963cda4ff802882b9eec037877a ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/matrix-synapse/vendor.tar.zst /work/SRC/openSUSE:Factory/.matrix-synapse.new.7232/vendor.tar.zst differ: char 425562, line 1803