Hello,
Here is an update for net/synapse 1.152.1
Tested on amd64 and arm64
Security Fixes
- Prevent CPU starvation (Denial of Service) under worker lock contention,
additionally capping the WorkerLock time out interval to a maximum of 60
seconds. Contributed by Famedly. (#19394, ELEMENTSEC-2026-1706,
GHSA-8q93-326v-3m7g, CVE pending)
- Prevent pagination ending when a page is full of rejected events.
(ELEMENTSEC-2025-1636, GHSA-6qf2-7x63-mm6v, CVE pending)
Backport to 7.8 is tested and works
make test as usual
skips=423, failures=3, successes=4239
Best Regards
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/synapse/Makefile,v
diff -u -p -r1.119 Makefile
--- Makefile 8 Apr 2026 06:14:28 -0000 1.119
+++ Makefile 8 May 2026 06:11:04 -0000
@@ -1,6 +1,6 @@
COMMENT = open network for secure, decentralized communication
-MODPY_DISTV = 1.151.0
+MODPY_DISTV = 1.152.1
GH_ACCOUNT = element-hq
GH_PROJECT = synapse
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/synapse/distinfo,v
diff -u -p -r1.90 distinfo
--- distinfo 8 Apr 2026 06:14:28 -0000 1.90
+++ distinfo 8 May 2026 06:11:04 -0000
@@ -106,6 +106,7 @@ SHA256 (cargo/regex-syntax-0.8.5.tar.gz)
SHA256 (cargo/reqwest-0.12.28.tar.gz) =
7d08pVkgMYCjB/EtEUwmir9YP1mwPLkG/Qs/+GRsEUc=
SHA256 (cargo/ring-0.17.14.tar.gz) =
pGiebCKU2B6I3GJhx2i2O8T824Ur5tE1JJixFPYTg7c=
SHA256 (cargo/rustc-hash-2.1.1.tar.gz) =
NXcD1BNltLJ8WQ4+2R6rsbZj8HxMCECV5gy+1DYt/w0=
+SHA256 (cargo/rustc_version-0.4.1.tar.gz) =
z8s6Iu9G6FtF3m7n550GMxnrtllPqvzxwiXqkqtum5I=
SHA256 (cargo/rustls-0.23.31.tar.gz) =
wOvL0vA94PwRIq2bsksSelps1R1yYEo/PFCsRZditsw=
SHA256 (cargo/rustls-native-certs-0.8.1.tar.gz) =
f8/y3VK1io2YpwJDZjoNI0xOK3kjVjeEnRWRM5SiR9M=
SHA256 (cargo/rustls-pki-types-1.12.0.tar.gz) =
IppKTCIQE+fh8aBDZ4xcw5/lFxQ3yI+0cVGiHm9bXHk=
@@ -115,6 +116,7 @@ SHA256 (cargo/ryu-1.0.20.tar.gz) = KNOys
SHA256 (cargo/schannel-0.1.27.tar.gz) =
HynrqjRflFzsn7vFMuswfw/a2BYfKBtjaVOcjYSHaz0=
SHA256 (cargo/security-framework-3.2.0.tar.gz) =
JxcgQD9GygT3um9V1Dj4vYeNa4ygoQRugijEFFvLsxY=
SHA256 (cargo/security-framework-sys-2.14.0.tar.gz) =
SdsjHVahkEkctK7alSfxrUU0WvULCFFiKnrbjAOwHDI=
+SHA256 (cargo/semver-1.0.27.tar.gz) =
12frCqvIgLKZVsNXNBcPJu1VGoWdvTYdFAzb7KYaseI=
SHA256 (cargo/serde-1.0.228.tar.gz) =
mo6U6n83i9Msu9NxmKSpFDYYDFu0ckEeSLXsLiEkrp4=
SHA256 (cargo/serde_core-1.0.228.tar.gz) =
QdOFx9TKWOWfxzKvJcOYO2eshSwaJQAK/hF13kWLZ60=
SHA256 (cargo/serde_derive-1.0.228.tar.gz) =
1UDyINMYcXPaIg+IWrZmCDZ7ZXTpJQEak1Pkut2pHXk=
@@ -194,7 +196,7 @@ SHA256 (cargo/zerotrie-0.2.2.tar.gz) = N
SHA256 (cargo/zerovec-0.11.2.tar.gz) =
SgXrCA4BW6OcyeI7vl5/sE1fsEA1D5nzTjONX90pRCg=
SHA256 (cargo/zerovec-derive-0.11.1.tar.gz) =
W5YjfvoMh4xkvYnENvZhvk5GsvPv8eu5dvfvIyHS9Y8=
SHA256 (cargo/zmij-1.0.19.tar.gz) =
P/BfjKqQOIlGN1ca5rnilGbB9Pgp0mybKPhpopy+NEU=
-SHA256 (synapse-1.151.0.tar.gz) = r9iWYYeJVRGhzV/VrcR3yOvpAOj9XdXhAq/R9HpnNto=
+SHA256 (synapse-1.152.1.tar.gz) = LE1oe9tZsVOYgsSgpT0q2lcDprv+VD2zxF38daf6/78=
SIZE (cargo/aho-corasick-1.1.3.tar.gz) = 183311
SIZE (cargo/anyhow-1.0.102.tar.gz) = 48658
SIZE (cargo/arc-swap-1.7.1.tar.gz) = 68512
@@ -303,6 +305,7 @@ SIZE (cargo/regex-syntax-0.8.5.tar.gz) =
SIZE (cargo/reqwest-0.12.28.tar.gz) = 157031
SIZE (cargo/ring-0.17.14.tar.gz) = 1502610
SIZE (cargo/rustc-hash-2.1.1.tar.gz) = 14154
+SIZE (cargo/rustc_version-0.4.1.tar.gz) = 12245
SIZE (cargo/rustls-0.23.31.tar.gz) = 371259
SIZE (cargo/rustls-native-certs-0.8.1.tar.gz) = 31129
SIZE (cargo/rustls-pki-types-1.12.0.tar.gz) = 64740
@@ -312,6 +315,7 @@ SIZE (cargo/ryu-1.0.20.tar.gz) = 48738
SIZE (cargo/schannel-0.1.27.tar.gz) = 42772
SIZE (cargo/security-framework-3.2.0.tar.gz) = 86095
SIZE (cargo/security-framework-sys-2.14.0.tar.gz) = 20537
+SIZE (cargo/semver-1.0.27.tar.gz) = 30081
SIZE (cargo/serde-1.0.228.tar.gz) = 83652
SIZE (cargo/serde_core-1.0.228.tar.gz) = 63111
SIZE (cargo/serde_derive-1.0.228.tar.gz) = 59605
@@ -391,4 +395,4 @@ SIZE (cargo/zerotrie-0.2.2.tar.gz) = 744
SIZE (cargo/zerovec-0.11.2.tar.gz) = 124500
SIZE (cargo/zerovec-derive-0.11.1.tar.gz) = 21294
SIZE (cargo/zmij-1.0.19.tar.gz) = 23948
-SIZE (synapse-1.151.0.tar.gz) = 9307465
+SIZE (synapse-1.152.1.tar.gz) = 9356251
Index: modules.inc
===================================================================
RCS file: /cvs/ports/net/synapse/modules.inc,v
diff -u -p -r1.53 modules.inc
--- modules.inc 8 Apr 2026 06:14:28 -0000 1.53
+++ modules.inc 8 May 2026 06:11:04 -0000
@@ -106,6 +106,7 @@ MODCARGO_CRATES += regex-syntax 0.8.5 #
MODCARGO_CRATES += reqwest 0.12.28 # MIT OR Apache-2.0
MODCARGO_CRATES += ring 0.17.14 # Apache-2.0 AND ISC
MODCARGO_CRATES += rustc-hash 2.1.1 # Apache-2.0 OR MIT
+MODCARGO_CRATES += rustc_version 0.4.1 # MIT OR Apache-2.0
MODCARGO_CRATES += rustls 0.23.31 # Apache-2.0 OR ISC OR MIT
MODCARGO_CRATES += rustls-native-certs 0.8.1 # Apache-2.0 OR ISC OR
MIT
MODCARGO_CRATES += rustls-pki-types 1.12.0 # MIT OR Apache-2.0
@@ -115,6 +116,7 @@ MODCARGO_CRATES += ryu 1.0.20 # Apache-2
MODCARGO_CRATES += schannel 0.1.27 # MIT
MODCARGO_CRATES += security-framework 3.2.0 # MIT OR Apache-2.0
MODCARGO_CRATES += security-framework-sys 2.14.0 # MIT OR Apache-2.0
+MODCARGO_CRATES += semver 1.0.27 # MIT OR Apache-2.0
MODCARGO_CRATES += serde 1.0.228 # MIT OR Apache-2.0
MODCARGO_CRATES += serde_core 1.0.228 # MIT OR Apache-2.0
MODCARGO_CRATES += serde_derive 1.0.228 # MIT OR Apache-2.0
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/synapse/pkg/PLIST,v
diff -u -p -r1.76 PLIST
--- pkg/PLIST 8 Apr 2026 06:14:28 -0000 1.76
+++ pkg/PLIST 8 May 2026 06:11:04 -0000
@@ -1007,6 +1007,8 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}server_notice_servlet.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}statistics.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}statistics.${MODPY_PYC_MAGIC_TAG}pyc
+lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}user_reports.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
+lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}user_reports.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}username_available.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}username_available.${MODPY_PYC_MAGIC_TAG}pyc
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/${MODPY_PYCACHE}users.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION}
@@ -1024,6 +1026,7 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/scheduled_tasks.py
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/server_notice_servlet.py
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/statistics.py
+lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/user_reports.py
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/username_available.py
lib/python${MODPY_VERSION}/site-packages/synapse/rest/admin/users.py
lib/python${MODPY_VERSION}/site-packages/synapse/rest/client/
@@ -2228,6 +2231,11 @@ lib/python${MODPY_VERSION}/site-packages
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/01_redactions_recheck.sql
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/02_redactions_recheck_bg_update.sql
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/03_device_lists_room_timestamp.sql
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/03_quarantined_media_tracking.sql
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/03_quarantined_media_tracking_seq.sql.postgres
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/03_state_dag_fwd_extrems.sql
+lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/delta/94/04_device_lists_changes_max_pruned.sql
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/72/
lib/python${MODPY_VERSION}/site-packages/synapse/storage/schema/main/full_schemas/72/full.sql.postgres
