Matrix developers report:
The matrix team releases Synapse 1.2.1 as a critical security update. It contains patches relating to redactions and event federation:
- Prevent an attack where a federated server could send redactions for arbitrary events in v1 and v2 rooms.
- Prevent a denial-of-service attack where cycles of redaction events would make Synapse spin infinitely.
- Prevent an attack where users could be joined or parted from public rooms without their consent.
- Fix a vulnerability where a federated server could spoof read-receipts from users on other servers.
- It was possible for a room moderator to send a redaction for an m.room.create event, which would downgrade the room to version 1.