From 76b012c3f5a1d51294dabcabde31e5dce94dddf8 Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Tue, 7 Oct 2025 11:58:08 +0100
Subject: [PATCH] 1.139.1

---
 CHANGES.md                | 12 ++++++++++++
 changelog.d/17097.misc    |  1 -
 changelog.d/18996.removal |  1 -
 debian/changelog          |  6 ++++++
 pyproject.toml            |  2 +-
 5 files changed, 19 insertions(+), 3 deletions(-)
 delete mode 100644 changelog.d/17097.misc
 delete mode 100644 changelog.d/18996.removal

diff --git a/CHANGES.md b/CHANGES.md
index e8b04c419c..b9c5eb01b0 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,15 @@
+# Synapse 1.139.1 (2025-10-07)
+
+## Security Fixes
+
+- Fix [CVE-2025-61672](https://www.cve.org/CVERecord?id=CVE-2025-61672) / [GHSA-fh66-fcv5-jjfr](https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr). Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. ([\#17097](https://github.com/element-hq/synapse/issues/17097))
+
+## Deprecations and Removals
+
+- Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. ([\#18996](https://github.com/element-hq/synapse/issues/18996))
+
+
+
 # Synapse 1.139.0 (2025-09-30)
 
 ### `/register` requests from old application service implementations may break when using MAS
diff --git a/changelog.d/17097.misc b/changelog.d/17097.misc
deleted file mode 100644
index 42792e5f38..0000000000
--- a/changelog.d/17097.misc
+++ /dev/null
@@ -1 +0,0 @@
-Extend validation of uploaded device keys.
\ No newline at end of file
diff --git a/changelog.d/18996.removal b/changelog.d/18996.removal
deleted file mode 100644
index fa06fcc929..0000000000
--- a/changelog.d/18996.removal
+++ /dev/null
@@ -1 +0,0 @@
-Drop support for unstable field names from the long-accepted [MSC2732](https://github.com/matrix-org/matrix-spec-proposals/pull/2732) (Olm fallback keys) proposal.
\ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
index f3a2314dca..5d7ed231c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+matrix-synapse-py3 (1.139.1) stable; urgency=medium
+
+  * New Synapse release 1.139.1.
+
+ -- Synapse Packaging team <packages@matrix.org>  Tue, 07 Oct 2025 11:46:51 +0100
+
 matrix-synapse-py3 (1.139.0) stable; urgency=medium
 
   * New Synapse release 1.139.0.
diff --git a/pyproject.toml b/pyproject.toml
index 0f886a6b6a..93a8abc5f5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -101,7 +101,7 @@ module-name = "synapse.synapse_rust"
 
 [tool.poetry]
 name = "matrix-synapse"
-version = "1.139.0"
+version = "1.139.1"
 description = "Homeserver for the Matrix decentralised comms protocol"
 authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
 license = "AGPL-3.0-or-later"