diff --git a/changelogs/application_service/newsfragments/2330.clarification b/changelogs/application_service/newsfragments/2330.clarification
new file mode 100644
index 00000000..3ccb2333
--- /dev/null
+++ b/changelogs/application_service/newsfragments/2330.clarification
@@ -0,0 +1 @@
+Fix various typos throughout the specification.
diff --git a/changelogs/client_server/newsfragments/2315.feature b/changelogs/client_server/newsfragments/2315.feature
new file mode 100644
index 00000000..77fecc1d
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2315.feature
@@ -0,0 +1 @@
+Add `M_USER_LIMIT_EXCEEDED` common error code, as per [MSC4335](https://github.com/matrix-org/matrix-spec-proposals/pull/4335).
diff --git a/changelogs/client_server/newsfragments/2328.feature b/changelogs/client_server/newsfragments/2328.feature
new file mode 100644
index 00000000..978a08f1
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2328.feature
@@ -0,0 +1 @@
+Add the `is_animated` flag to the `info` object of the `m.image` msgtype and the `m.sticker` event, as per [MSC4230](https://github.com/matrix-org/matrix-spec-proposals/pull/4230).
diff --git a/changelogs/client_server/newsfragments/2337.clarification b/changelogs/client_server/newsfragments/2337.clarification
new file mode 100644
index 00000000..3ccb2333
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2337.clarification
@@ -0,0 +1 @@
+Fix various typos throughout the specification.
diff --git a/changelogs/client_server/newsfragments/2338.feature b/changelogs/client_server/newsfragments/2338.feature
new file mode 100644
index 00000000..978a08f1
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2338.feature
@@ -0,0 +1 @@
+Add the `is_animated` flag to the `info` object of the `m.image` msgtype and the `m.sticker` event, as per [MSC4230](https://github.com/matrix-org/matrix-spec-proposals/pull/4230).
diff --git a/changelogs/server_server/newsfragments/2329.clarification b/changelogs/server_server/newsfragments/2329.clarification
new file mode 100644
index 00000000..f3008f40
--- /dev/null
+++ b/changelogs/server_server/newsfragments/2329.clarification
@@ -0,0 +1 @@
+Add link to JSON signing algorithm in server-server auth section for clarity. Contributed by @thetayloredman.
diff --git a/changelogs/server_server/newsfragments/2338.clarification b/changelogs/server_server/newsfragments/2338.clarification
new file mode 100644
index 00000000..3ccb2333
--- /dev/null
+++ b/changelogs/server_server/newsfragments/2338.clarification
@@ -0,0 +1 @@
+Fix various typos throughout the specification.
diff --git a/content/application-service-api.md b/content/application-service-api.md
index d1b9c638..dab24133 100644
--- a/content/application-service-api.md
+++ b/content/application-service-api.md
@@ -84,7 +84,7 @@ For the `users` namespace, application services can only register interest in
 homeserver). Events affecting users on other homeservers are not sent to an application
 service, even if the user happens to match the one of the `users` namespaces (unless,
 of course, the event affects a room that the application service is interested in
-for another room - for example, because there is another user in the room that the
+for another reason - for example, because there is another user in the room that the
 application service is interested in).
 
 For the `rooms` and `aliases` namespaces, all events in a matching room will be
diff --git a/content/client-server-api/_index.md b/content/client-server-api/_index.md
index c1c4a1f4..51441a4c 100644
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@@ -147,6 +147,37 @@ state (e.g.: sending messages, account data, etc) and not routes which
 only read state (e.g.: [`/sync`](#get_matrixclientv3sync),
 [`/user/{userId}/account_data/{type}`](#get_matrixclientv3useruseridaccount_datatype), etc).
 
+`M_USER_LIMIT_EXCEEDED`
+: {{% added-in v="1.18" %}} The request cannot be completed because the user has
+exceeded (or the request would cause them to exceed) a limit associated with
+their account. For example, a user may have reached their allocated storage
+quota, reached a maximum number of allowed rooms, devices, or other
+account-scoped resources, or exceeded usage limits for specific features.
+
+: The error response MUST have an `info_uri` field (string), which is a URI
+that the client can present to the user to provide more context on the
+encountered limit and, if applicable, guidance on how to increase the limit.
+The homeserver MAY return different values for `info_uri` depending on the type
+of limit reached.
+
+: The error response MAY include a `can_upgrade` field (boolean, default `false`).
+If `true`, it indicates that the specific limit encountered can be increased,
+for example by upgrading the user's account tier. If absent or `false`, the
+limit is a hard limit that cannot be increased.
+
+: The HTTP status code will depend on depend on the particular endpoint.
+
+: Example response:
+
+  ```json
+  {
+    "errcode": "M_USER_LIMIT_EXCEEDED",
+    "error": "You have exceeded your storage quota of 10GB",
+    "info_uri": "https://example.com/homeserver/about?limit_type=quota",
+    "can_upgrade": true
+  }
+  ```
+
 `M_UNKNOWN`
 : An unknown error has occurred.
 
diff --git a/content/client-server-api/modules/end_to_end_encryption.md b/content/client-server-api/modules/end_to_end_encryption.md
index 57bef790..1c3a82da 100644
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@@ -637,7 +637,7 @@ request.
 
 The prompt for Bob to accept/reject Alice's request (or the unsupported method
 prompt) should be automatically dismissed 10 minutes after the `timestamp` (in
-the case of to-device messages) or `origin_ts` (in the case of in-room
+the case of to-device messages) or `origin_server_ts` (in the case of in-room
 messages) field or 2 minutes after Bob's client receives the message, whichever
 comes first, if Bob does not interact with the prompt. The prompt should
 additionally be hidden if an appropriate `m.key.verification.cancel` message is
diff --git a/content/server-server-api.md b/content/server-server-api.md
index bc393ae9..50104ed5 100644
--- a/content/server-server-api.md
+++ b/content/server-server-api.md
@@ -277,12 +277,12 @@ queried from multiple servers to mitigate against DNS spoofing.
 
 Every HTTP request made by a homeserver is authenticated using public
 key digital signatures. The request method, target and body are signed
-by wrapping them in a JSON object and signing it using the JSON signing
-algorithm. The resulting signatures are added as an Authorization header
-with an auth scheme of `X-Matrix`. Note that the target field should
-include the full path starting with `/_matrix/...`, including the `?`
-and any query parameters if present, but should not include the leading
-`https:`, nor the destination server's hostname.
+by wrapping them in a JSON object and signing it using the [JSON signing
+algorithm](/appendices#signing-json). The resulting signatures are added
+as an Authorization header with an auth scheme of `X-Matrix`. Note that
+the target field should include the full path starting with `/_matrix/...`,
+including the `?` and any query parameters if present, but should not
+include the leading `https:`, nor the destination server's hostname.
 
 Step 1 sign JSON:
 
diff --git a/data/event-schemas/examples/m.room.message$m.image.yaml b/data/event-schemas/examples/m.room.message$m.image.yaml
index a0e38c82..3a9cd0bc 100644
--- a/data/event-schemas/examples/m.room.message$m.image.yaml
+++ b/data/event-schemas/examples/m.room.message$m.image.yaml
@@ -7,7 +7,8 @@
         "h": 398,
         "w": 394,
         "mimetype": "image/jpeg",
-        "size": 31037
+        "size": 31037,
+        "is_animated": false
     },
     "url": "mxc://example.org/JWEIFJgwEIhweiWJE",
     "msgtype": "m.image"
diff --git a/data/event-schemas/examples/m.sticker.yaml b/data/event-schemas/examples/m.sticker.yaml
index 971cdc90..c06d8c08 100644
--- a/data/event-schemas/examples/m.sticker.yaml
+++ b/data/event-schemas/examples/m.sticker.yaml
@@ -9,7 +9,8 @@
         "mimetype": "image/png",
         "h": 200,
         "w": 140,
-        "size": 73602
+        "size": 73602,
+        "is_animated": true
       },
       "h": 200,
       "thumbnail_url": "mxc://matrix.org/sHhqkFCvSkFwtmvtETOtKnLP",
diff --git a/data/event-schemas/schema/core-event-schema/msgtype_infos/image_info.yaml b/data/event-schemas/schema/core-event-schema/msgtype_infos/image_info.yaml
index 4460cdee..90a3331c 100644
--- a/data/event-schemas/schema/core-event-schema/msgtype_infos/image_info.yaml
+++ b/data/event-schemas/schema/core-event-schema/msgtype_infos/image_info.yaml
@@ -34,5 +34,19 @@ properties:
     allOf:
       - $ref: thumbnail_info.yaml
     description: Metadata about the image referred to in `thumbnail_url`.
+  is_animated:
+    x-addedInMatrixVersion: "1.18"
+    description: |-
+      If this flag is `true`, the original image SHOULD be assumed to be
+      animated. If this flag is `false`, the original image SHOULD be assumed to
+      NOT be animated.
+
+      If a sending client is unable to determine whether an image is animated,
+      it SHOULD leave the flag unset.
+
+      Receiving clients MAY use this flag to optimize whether to download the
+      original image rather than a thumbnail if it is animated, but they SHOULD
+      NOT trust this flag.
+    type: boolean
 title: ImageInfo
 type: object