From fe3d88b833f76742874642c119b14b788341c905 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Tue, 3 Dec 2024 11:15:00 +0100
Subject: [PATCH] 1.120.1

---
 CHANGES.md               | 42 ++++++++++++++++++++++++++++++++++++++++
 changelog.d/17970.bugfix |  1 -
 debian/changelog         |  6 ++++++
 pyproject.toml           |  2 +-
 4 files changed, 49 insertions(+), 2 deletions(-)
 delete mode 100644 changelog.d/17970.bugfix

diff --git a/CHANGES.md b/CHANGES.md
index 0caac3f89e..bac2b4c210 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,45 @@
+# Synapse 1.120.1 (2024-12-03)
+
+This patch release fixes multiple security vulnerabilities, some affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.
+
+Administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.
+
+### Security advisory
+
+The following issues are fixed in 1.120.1.
+
+- [GHSA-rfq8-j7rh-8hf2](https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2) / [CVE-2024-52805](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52805): **Unsupported content types can lead to memory exhaustion**
+
+  Synapse instances which have a high `max_upload_size` and which don't have a reverse proxy in front of them that would otherwise limit upload size are affected.
+
+  Fixed by [4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf](https://github.com/element-hq/synapse/commit/4b7154c58501b4bf5e1c2d6c11ebef96529f2fdf).
+
+- [GHSA-f3r3-h2mq-hx2h](https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h) / [CVE-2024-52815](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52815): **Malicious invites via federation can break a user's sync**
+
+  Fixed by [d82e1ed357b7ee21dff83d06cba7a67840cfd464](https://github.com/element-hq/synapse/commit/d82e1ed357b7ee21dff83d06cba7a67840cfd464).
+
+- [GHSA-vp6v-whfm-rv3g](https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g) / [CVE-2024-53863](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53863): **Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders**
+
+  Synapse instances can disable dynamic thumbnailing by setting `dynamic_thumbnails` to `false` in the configuration file.
+
+  Fixed by [b64a4e5fbbbf119b6c65aedf0d999b4237d55503](https://github.com/element-hq/synapse/commit/b64a4e5fbbbf119b6c65aedf0d999b4237d55503).
+
+- [GHSA-56w4-5538-8v8h](https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h) / [CVE-2024-53867](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53867): **The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room**
+
+  Non-state events, like messages, are unaffected.
+
+  Synapse instances can disable the Sliding Sync feature by setting `experimental_features.msc3575_enabled` to `false` in the configuration file.
+
+  Fixed by [4daa533e82f345ce87b9495d31781af570ba3ead](https://github.com/element-hq/synapse/commit/4daa533e82f345ce87b9495d31781af570ba3ead).
+
+See the advisories for more details. If you have any questions, email [security at element.io](mailto:security@element.io).
+
+### Bugfixes
+
+- Fix release process to not create duplicate releases. ([\#17970](https://github.com/element-hq/synapse/issues/17970))
+
+
+
 # Synapse 1.120.0 (2024-11-26)
 
 ### Bugfixes
diff --git a/changelog.d/17970.bugfix b/changelog.d/17970.bugfix
deleted file mode 100644
index 835079de3f..0000000000
--- a/changelog.d/17970.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix release process to not create duplicate releases.
diff --git a/debian/changelog b/debian/changelog
index bd4466d7aa..936447b8b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.120.1) stable; urgency=medium
+
+  * New synapse release 1.120.1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 03 Dec 2024 09:07:57 +0000
+
 matrix-synapse-py3 (1.120.0) stable; urgency=medium
 
   * New synapse release 1.120.0.
diff --git a/pyproject.toml b/pyproject.toml
index 5fd1d7c198..f838d4d7be 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -97,7 +97,7 @@ module-name = "synapse.synapse_rust"
 
 [tool.poetry]
 name = "matrix-synapse"
-version = "1.120.0"
+version = "1.120.1"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "AGPL-3.0-or-later"