16 lines
1.2 KiB
Markdown
16 lines
1.2 KiB
Markdown
+++
|
|
title = "Synapse: Disclosing CVE-2020-26890"
|
|
date = "2020-11-23T14:59:25Z"
|
|
path = "/blog/2020/11/23/synapse-disclosing-cve-2020-26890"
|
|
|
|
[taxonomies]
|
|
author = ["Dan Callahan"]
|
|
category = ["Security"]
|
|
+++
|
|
|
|
Today we are disclosing [CVE-2020-26890](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26890) / [GHSA-4mp3-385r-v63f](https://github.com/matrix-org/synapse/security/advisories/GHSA-4mp3-385r-v63f), a denial of service vulnerability affecting Synapse versions prior to 1.20.0. We strongly encourage all Synapse admins to upgrade as soon as possible. If you have not upgraded in a while, please refer to the [upgrade notes](https://github.com/matrix-org/synapse/blob/master/UPGRADE.rst), especially the latter portion of that document which covers any backwards incompatible changes which you may need to take into consideration.
|
|
|
|
As a best practice, we encourage Synapse admins to upgrade regularly, and either [subscribe on GitHub](https://github.com/matrix-org/synapse/releases/) or join [#homeowners:matrix.org](https://matrix.to/#/#homeowners:matrix.org) for low-traffic notifications of new releases.
|
|
|
|
We extend our thanks to Denis Kasak for reporting this issue, earning a second entry in the Matrix Security [Hall of Fame](/security-disclosure-policy).
|