Skip to content

v1.136.0

Latest
Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 12 Aug 14:26
· 41 commits to develop since this release
v1.136.0
This tag was signed with the committer’s verified signature. The key has expired.
anoadragon453 Andrew Morgan
GPG key ID: 8884880D2EFE5FF4
Expired
Verified
Learn about vigilant mode.
e8c6cb3

Synapse 1.136.0 (2025-08-12)

Note: This release includes the security fixes from 1.135.2 and 1.136.0rc2, detailed below.

Please also check the relevant section in the upgrade notes for the changes to MAS support, metrics labels and the module API which may require your attention when upgrading.

Bugfixes

  • Fix bug introduced in 1.135.2 and 1.136.0rc2 where the Make Room Admin API would not treat a room v12's creator power level as the highest in room. (#18805)

Synapse 1.136.0rc2 (2025-08-11)

This is the Synapse portion of the Matrix coordinated security release. This release includes support for room version 12 which fixes a number of security vulnerabilities, including CVE-2025-49090.

The default room version is not changed. Not all clients will support room version 12 immediately, and not all users will be using the latest version of their clients. Large, public rooms are advised to wait a few weeks before upgrading to room version 12 to allow users throughout the Matrix ecosystem to update their clients.

Note: release 1.135.1 was skipped due to issues discovered during the release process.

Two patched Synapse releases are now available:

  • 1.135.2: stable release comprised of 1.135.0 + security patches
    • Upgrade to this release if you are currently running 1.135.0 or below.
  • 1.136.0rc2: unstable release candidate comprised of 1.136.0rc1 + security patches.
    • Upgrade to this release only if you are on 1.136.0rc1.

Bugfixes

  • Update MSC4293 redaction logic for room v12. (#80)

Internal Changes

  • Add a parameter to upgrade_rooms(..) to allow auto join local users. (#83)

Synapse 1.136.0rc1 (2025-08-05)

Features

  • Add configurable rate limiting for the creation of rooms. (#18514)
  • Add support for MSC4293 - Redact on Kick/Ban. (#18540)
  • When admins enable themselves to see soft-failed events, they will also see if the cause is due to the policy server flagging them as spam via unsigned. (#18585)
  • Add ability to configure forward/outbound proxy via homeserver config instead of environment variables. See http_proxy, https_proxy, no_proxy_hosts. (#18686)
  • Advertise experimental support for MSC4306 (Thread Subscriptions) through /_matrix/clients/versions if enabled. (#18722)
  • Stabilise support for delegating authentication to Matrix Authentication Service. (#18759)
  • Implement the push rules for experimental MSC4306: Thread Subscriptions. (#18762)

Bugfixes

  • Allow return code 403 (allowed by C2S Spec since v1.2) when fetching profiles via federation. (#18696)
  • Register the MSC4306 (Thread Subscriptions) endpoints in the CS API when the experimental feature is enabled. (#18726)
  • Fix a long-standing bug where suspended users could not have server notices sent to them (a 403 was returned to the admin). (#18750)
  • Fix an issue that could cause logcontexts to be lost on rate-limited requests. Found by @realtyem. (#18763)
  • Fix invalidation of storage cache that was broken in 1.135.0. (#18786)

Improved Documentation

  • Minor improvements to README. (#18700)
  • Document that there can be multiple workers handling the receipts stream. (#18760)
  • Improve worker documentation for some device paths. (#18761)

Deprecations and Removals

Internal Changes

  • Add debug logging for HMAC digest verification failures when using the admin API to register users. (#18474)
  • Speed up upgrading a room with large numbers of banned users. (#18574)
  • Fix config documentation generation script on Windows by enforcing UTF-8. (#18580)
  • Refactor cache, background process, Counter, LaterGauge, GaugeBucketCollector, Histogram, and Gauge metrics to be homeserver-scoped. (#18656, #18714, #18715, #18724, #18753, #18725, #18670, #18748, #18751)
  • Reduce database usage in Sliding Sync by not querying for background update completion after the update is known to be complete. (#18718)
  • Improve order of validation and ratelimiting in room creation. (#18723)
  • Bump minimum version bound on Twisted to 21.2.0. (#18727, #18729)
  • Use twisted.internet.testing module in tests instead of deprecated twisted.test.proto_helpers. (#18728)
  • Remove obsolete /send_event replication endpoint. (#18730)
  • Update metrics linting to be able to handle custom metrics. (#18733)
  • Work around twisted.protocols.amp.TooLong error by reducing logging in some tests. (#18736)
  • Prevent "Move labelled issues to correct projects" GitHub Actions workflow from failing when an issue is already on the project board. (#18755)
  • Bump minimum supported Rust version (MSRV) to 1.82.0. Missed in #18553 (released in Synapse 1.134.0). (#18757)
  • Make Clock.sleep(...) return a coroutine, so that mypy can catch places where we don't await on it. (#18772)
  • Update implementation of MSC4306: Thread Subscriptions to include automatic subscription conflict prevention as introduced in later drafts. (#18756)

Updates to locked dependencies

  • Bump gitpython from 3.1.44 to 3.1.45. (#18743)
  • Bump mypy-zope from 1.0.12 to 1.0.13. (#18744)
  • Bump phonenumbers from 9.0.9 to 9.0.10. (#18741)
  • Bump ruff from 0.12.4 to 0.12.5. (#18742)
  • Bump sentry-sdk from 2.32.0 to 2.33.2. (#18745)
  • Bump tokio from 1.46.1 to 1.47.0. (#18740)
  • Bump types-jsonschema from 4.24.0.20250708 to 4.25.0.20250720. (#18703)
  • Bump types-psycopg2 from 2.9.21.20250516 to 2.9.21.20250718. (#18706)

Contributors

realtyem
Assets 18
Loading