Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package matrix-synapse for openSUSE:Factory checked in at 2023-09-28 00:25:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/matrix-synapse (Old) and /work/SRC/openSUSE:Factory/.matrix-synapse.new.23327 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "matrix-synapse" Thu Sep 28 00:25:02 2023 rev:85 rq:1113708 version:1.93.0 Changes: -------- --- /work/SRC/openSUSE:Factory/matrix-synapse/matrix-synapse.changes 2023-09-07 21:13:58.339946322 +0200 +++ /work/SRC/openSUSE:Factory/.matrix-synapse.new.23327/matrix-synapse.changes 2023-09-28 00:38:25.552739243 +0200 @@ -1,0 +2,143 @@ +Tue Sep 26 17:35:26 UTC 2023 - Marcus Rueckert <mrueckert@suse.de> + +- Update to 1.93.0 + The following issues are fixed in 1.93.0 (and RCs). + + GHSA-4f74-84v3-j9q5 / CVE-2023-41335 — Low Severity + https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q... + + Temporary storage of plaintext passwords during password changes. + + GHSA-7565-cq32-vx2x / CVE-2023-42453 — Low Severity + https://github.com/matrix-org/synapse/security/advisories/GHSA-7565-cq32-vx2... + + Improper validation of receipts allows forged read receipts. + + See the advisories for more details. If you have any questions, email security@matrix.org. + + + - Features + - Add automatic purge after all users have forgotten a room. + (#15488) + - Restore room purge/shutdown after a Synapse restart. (#15488) + - Support resolving homeservers using matrix-fed DNS SRV + records from MSC4040. (#16137) + - Add the ability to use G (GiB) and T (TiB) suffixes in + configuration options that refer to numbers of bytes. + (#16219) + - Add span information to requests sent to appservices. + Contributed by MTRNord. (#16227) + - Add the ability to enable/disable registrations when using + CAS. Contributed by Aurélien Grimpard. (#16262) + - Allow the /notifications endpoint to be routed to workers. + (#16265) + - Enable users to easily unsubscribe to notifications emails + via the List-Unsubscribe header. (#16274) + - Report whether a user is locked in the List Accounts admin + API, and exclude locked users by default. (#16328) + - Bugfixes + - Fix a long-standing bug where multi-device accounts could + cause high load due to presence. (#16066, #16170, #16171, + #16172, #16174) + - Fix a long-standing bug where appservices using MSC2409 to + receive to_device messages would only get messages for one + user. (#16251) + - Fix bug when using workers where Synapse could end up + re-requesting the same remote device repeatedly. (#16252) + - Fix long-standing bug where we kept re-requesting a remote + server's key repeatedly, potentially causing delays in + receiving events over federation. (#16257) + - Avoid temporary storage of sensitive information. (#16272) + - Fix bug introduced in Synapse 1.49.0 when using dehydrated + devices (MSC2697) and refresh tokens. Contributed by Hanadi. + (#16288) + - Fix a long-standing bug where invalid receipts would be + accepted. (#16327) + - Use standard name for UTF-8 charset in emails. (#16329) + - Don't try refetching device lists for users on remote hosts + that are marked as "down". (#16298) + - Improved Documentation + - Fix typos in the documentation. (#16282) + - Link to the Alpine Linux community package for Synapse. + (#16304) + - Use string for federation_client_minimum_tls_version + documentation examples. Contributed by @jcgruenhage. (#16353) + - Internal Changes + - Allow modules to delete rooms. (#15997) + - Add GCC and GNU Make to the Nix flake development environment + so that ruff can be compiled. (#16090, #16263) + - Fix type checking when using the new version of Twisted. + (#16235) + - Delete device messages asynchronously and in staged batches + using the task scheduler. (#16240, #16311, #16312, #16313) + - Bump minimum supported Rust version to 1.61.0. (#16248) + - Update rust to version 1.71.1 in the nix development + environment. (#16260) + - Simplify server key storage. (#16261) + - Reduce CPU overhead of change password endpoint. (#16264) + - Stop purging from tables slated for removal. (#16273) + - Improve type hints. (#16276, #16301, #16325, #16326) + - Raise setuptools_rust version cap to 1.7.0. (#16277) + - Fix using the new task scheduler causing lots of CPU to be + used. (#16278) + - Upgrade CI run of Python 3.12 from rc1 to rc2. (#16280) + - Include values in SQL debug when using execute_values with + Postgres. (#16281) + - Enable additional linting checks. (#16283) + - Refactor receipts_graph Postgres transactions to stop error + messages. (#16299) + - Small improvements to logging in replication code. (#16309) + - Remove a reference cycle in background processes. (#16314) + - Only use literal strings for background process names. + (#16315) + - Refactor get_user_by_id. (#16316) + - Speed up task to delete to-device messages. (#16318) + - Avoid patching code in tests. (#16349) + - Test against PostgreSQL 16. (#16351) + +------------------------------------------------------------------- +Mon Sep 25 23:09:42 UTC 2023 - Marcus Rueckert <mrueckert@suse.de> + +- Update to 1.92.3 + This release does not affect openSUSE as we do not use the intree + libwebp + + Upstream changes: + This is again a security update targeted at mitigating + CVE-2023-4863. It turns out that libwebp is bundled statically in + Pillow wheels so we need to update this dependency instead of + libwebp package at the OS level. + + Unlike what was advertised in 1.92.2 changelog this release also + impacts PyPI wheels and Debian packages from matrix.org. + + We encourage admins to upgrade as soon as possible. + + Internal Changes + - Pillow 10.0.1 is now mandatory because of libwebp + CVE-2023-4863, since Pillow provides libwebp in the wheels. + (#16347) +- bump all the dependencies which are not available in tumbleweed. + +------------------------------------------------------------------- +Fri Sep 15 13:57:20 UTC 2023 - Marcus Rueckert <mrueckert@suse.de> + +- Update to 1.92.2 + Only fix in this is actually changing the upstream docker + configuration to mitigate the webp security bug. Does not affect + our package. + +------------------------------------------------------------------- +Tue Sep 12 20:21:04 UTC 2023 - Marcus Rueckert <mrueckert@suse.de> + +- Update to 1.92.1 + - Bugfixes + - Revert MSC3861 introspection cache, admin impersonation and + account lock. (#16258) + - Internal Changes + - Fix incorrect docstring for Ratelimiter. (#16255) + - Update the release script to work on macOS. (#16266) + - Stop building Ubuntu Kinetic since it is EOL and repos seem + to be dead. + +------------------------------------------------------------------- Old: ---- matrix-synapse-1.91.2.obscpio New: ---- matrix-synapse-1.93.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ matrix-synapse-test.spec ++++++ --- /var/tmp/diff_new_pack.28dTFG/_old 2023-09-28 00:38:28.088831494 +0200 +++ /var/tmp/diff_new_pack.28dTFG/_new 2023-09-28 00:38:28.092831640 +0200 @@ -27,7 +27,7 @@ %define pkgname matrix-synapse Name: %{pkgname}-test -Version: 1.91.2 +Version: 1.93.0 Release: 0 Summary: Test package for %{pkgname} License: Apache-2.0 ++++++ matrix-synapse.spec ++++++ --- /var/tmp/diff_new_pack.28dTFG/_old 2023-09-28 00:38:28.136833241 +0200 +++ /var/tmp/diff_new_pack.28dTFG/_new 2023-09-28 00:38:28.140833386 +0200 @@ -21,17 +21,14 @@ # NOTE: Keep this is in the same order as pyproject.toml. %if %{with use_poetry_for_dependencies} %global Jinja2_version 3.1.2 -# TODO: 10.0.0 -%global Pillow_version 9.5.0 -# TODO: 6.0.1 -%global PyYAML_version 6.0 +%global Pillow_version 10.0.1 +%global PyYAML_version 6.0.1 %global Twisted_version 22.10.0 %global attrs_version 23.1.0 %global bcrypt_version 4.0.1 %global bleach_version 5.0.1 %global canonicaljson_version 2.0.0 -# TODO: 41.0.3 -%global cryptography_version 41.0.2 +%global cryptography_version 41.0.3 %global immutabledict_version 3.0.0 %global idna_version 3.4 %global ijson_version 3.2.3 @@ -41,15 +38,14 @@ %global matrix_common_max_version 2 %global msgpack_version 1.0.5 %global netaddr_version 0.8.0 -# TODO: 8.13.14 +# TODO: 8.13.19 %global phonenumbers_version 8.13.18 # TODO: 0.17.1 %global prometheus_client_version 0.17.0 %global psutil_version 2.0.0 %global pyOpenSSL_version 23.0.0 %global pyasn1_version 0.5.0 -# TODO 0.3.0 -%global pyasn1_modules_version 0.2.8 +%global pyasn1_modules_version 0.3.0 %global pymacaroons_version 0.13.0 %global service_identity_version 23.1.0 %global signedjson_version 1.1.4 @@ -61,13 +57,12 @@ %global unpaddedbase64_version 2.1.0 %global matrix_synapse_ldap3_version 0.2.2 %global packaging_version 23.1 -%global psycopg2_version 2.9.6 +%global psycopg2_version 2.9.7 # TODO 7.3.1 %global pysaml2_version 7.2.1 %global Authlib_version 1.2.1 -# TODO 4.9.3 -%global lxml_version 4.9.2 -%global sentry_sdk_version 1.29.2 +%global lxml_version 4.9.3 +%global sentry_sdk_version 1.30.0 %global PyJWT_version 2.4.0 %global jaeger_client_version 4.8.0 %global opentracing_version 2.4.0 @@ -76,12 +71,11 @@ %global txredisapi_version 1.4.9 %global Pympler_version 1.0.1 %global pydantic_version 1.9.1 -# TODO: 2.10.2 -%global pyicu_version 2.10.2 +%global pyicu_version 2.11 %else # some version locks based on poetry.lock %global Jinja2_version 3.0 -%global Pillow_version 5.4.0 +%global Pillow_version 10.0.1 %global PyYAML_version 3.13 %global Twisted_version 18.9.0 %global attrs_version 21.1.1 @@ -160,7 +154,7 @@ %define pkgname matrix-synapse %define eggname matrix_synapse Name: %{pkgname} -Version: 1.91.2 +Version: 1.93.0 Release: 0 Summary: Matrix protocol reference homeserver License: Apache-2.0 @@ -194,11 +188,11 @@ BuildRequires: sysuser-shadow BuildRequires: sysuser-tools BuildRequires: unzip -BuildRequires: (%{use_python}-poetry-core >= 1.0.0 with %{use_python}-poetry-core =< 1.7.0) +BuildRequires: (%{use_python}-poetry-core >= 1.1.0 with %{use_python}-poetry-core =< 1.7.0) %{?systemd_ordering} %{sysusers_requires} %requires_peq %{use_python}-base -BuildRequires: (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.6.0) +BuildRequires: (%{use_python}-setuptools-rust >= 1.3 with %{use_python}-setuptools-rust =< 1.7.0) # NOTE: Keep this is in the same order as pyproject.toml. # some version locks based on poetry.lock BuildRequires: %{use_python}-Jinja2 >= %{Jinja2_version} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.28dTFG/_old 2023-09-28 00:38:28.260837751 +0200 +++ /var/tmp/diff_new_pack.28dTFG/_new 2023-09-28 00:38:28.264837897 +0200 @@ -4,11 +4,11 @@ <param name="versionformat">@PARENT_TAG@</param> <param name="url">https://github.com/matrix-org/synapse.git</param> <param name="scm">git</param> - <param name="revision">v1.91.2</param> + <param name="revision">v1.93.0</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> <!-- - <param name="revision">v1.92.0rc1</param> + <param name="revision">v1.94.0rc1</param> <param name="versionrewrite-pattern">v([\.\d]+)(rc.*)</param> <param name="versionrewrite-replacement">\1~\2</param> --> ++++++ matrix-synapse-1.91.2.obscpio -> matrix-synapse-1.93.0.obscpio ++++++ /work/SRC/openSUSE:Factory/matrix-synapse/matrix-synapse-1.91.2.obscpio /work/SRC/openSUSE:Factory/.matrix-synapse.new.23327/matrix-synapse-1.93.0.obscpio differ: char 48, line 1 ++++++ matrix-synapse.obsinfo ++++++ --- /var/tmp/diff_new_pack.28dTFG/_old 2023-09-28 00:38:28.376841971 +0200 +++ /var/tmp/diff_new_pack.28dTFG/_new 2023-09-28 00:38:28.376841971 +0200 @@ -1,5 +1,5 @@ name: matrix-synapse -version: 1.91.2 -mtime: 1694013057 -commit: 9de615b3aa4f20cab182cf3822943b9465a30643 +version: 1.93.0 +mtime: 1695740214 +commit: 88ba67eb91215a708f321e16559fe3c2c0d0a407 ++++++ vendor.tar.zst ++++++ Binary files /var/tmp/diff_new_pack.28dTFG/_old and /var/tmp/diff_new_pack.28dTFG/_new differ