[net/mail: excessive CPU consumption in ParseAddress]

[net/textproto: excessive CPU consumption in Reader.ReadResponse]

[encoding/pem: quadratic complexity when parsing some invalid inputs]

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

[Insert sticky header labels as text instead of HTML]

[Sanitize attributes unwrapped from data-ve-attributes]

[Properly escape and parse system messages]

[Exclude deleted entries when counting thanks]

[Add authorizeRead check for extracts endpoint]

[In API check user read permissions before showing PageInfo]

[Prevent leaking hidden usernames in Watchlist/RecentChanges]

[Fix i18n XSS in CodexTablePager]

[Don't send suppressed recent changes to RCFeeds]

[Escape submit button label for Codex-based HTMLForms]

[api: Disable maxsize in QueryAllPages in miser mode]

[Parse messages instead of inserting them as HTML]

[Use ManualLogEntry::getDeleted in ::getRecentChange]

[Sanitize data- attributes]

[Escape three system messages used by live preview]