Matrix developers report:
The matrix team releases Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation:
Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms.
Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely.
Prevent an attack where users could be joined or parted from public rooms without their consent.
Fix a vulnerability where a federated server could spoof read-receipts from users on other servers.
It was possible for a room moderator to send a redaction for an m.room.create event, which would downgrade the room to version 1.
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center