GNU bug report logs -
#47627
syncthing package is vulnerable to CVE-2021-21404
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Tue, 6 Apr 2021 22:41:02 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
CVE-2021-21404 06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.
We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.
Previous discussion about updating syncthing:
https://issues.guix.gnu.org/45476
Léo
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 42 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.