From 27d01a431f4652b78b5a8c5e4e8f6898e475648c Mon Sep 17 00:00:00 2001
From: Package Updates <package-updates@cloudron.io>
Date: Tue, 7 Oct 2025 16:56:40 +0000
Subject: [PATCH] Update package version to 1.120.1

---
 CHANGELOG.md          | 6 ++++++
 CloudronManifest.json | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a859765..9395c35 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1469,3 +1469,9 @@
 * [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.139.0)
 * /register requests from old application service implementations may break when using MAS
 
+[1.120.1]
+* Update synapse to 1.139.1
+* [Full Changelog](https://github.com/element-hq/synapse/releases/tag/v1.139.1)
+* Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([#17097](https://github.com/element-hq/synapse/issues/17097))
+* Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([#18996](https://github.com/element-hq/synapse/issues/18996))
+
diff --git a/CloudronManifest.json b/CloudronManifest.json
index 683cef3..4826d27 100644
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -5,7 +5,7 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "tagline": "Secure & decentralized communication",
-  "version": "1.120.0",
+  "version": "1.120.1",
   "upstreamVersion": "1.139.1",
   "healthCheckPath": "/",
   "httpPort": 8008,