Merge commit '9b8a53c7b' into anoa/dinsic_release_1_21_x

anoadragon453 · anoadragon453 · commit 91ce65f05ded · 2020-10-21T15:13:07.000+01:00
* commit '9b8a53c7b':
  Additional tweaks.
  Clarify authlib changes.
  Fix typo.
  Add additional release notes.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,10 +1,25 @@
 Synapse 1.21.2 (2020-10-15)
 ===========================
 
+Debian packages and Docker images have been rebuilt using the latest versions of dependency libraries, including authlib 0.15.1. Please see bugfixes below.
+
+Security advisory
+-----------------
+
+* HTML pages served via Synapse were vulnerable to cross-site scripting (XSS)
+  attacks. All server administrators are encouraged to upgrade.
+  ([\#8444](https://github.com/matrix-org/synapse/pull/8444))
+  ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891))
+
+  This fix was originally included in v1.21.0 but was missing a security advisory.
+
+  This was reported by [Denis Kasak](https://github.com/dkasak).
+
 Bugfixes
 --------
 
 - Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](https://github.com/matrix-org/synapse/issues/8530))
+- An updated version of the authlib dependency is included in the Docker and Debian images to fix an issue using OpenID Connect. See [\#8534](https://github.com/matrix-org/synapse/issues/8534) for details.
 
 
 Synapse 1.21.1 (2020-10-13)
