cvelistv5 - CVE-2021-21404

CVE-2021-21404 (GCVE-0-2021-21404)

Vulnerability from cvelistv5

Published

2021-04-06 20:00

Modified

2024-08-03 18:09

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Summary

Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.

References

URL	Tags
security-advisories@github.com	https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/syncthing/syncthing/releases/tag/v1.15.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h	Third Party Advisory
security-advisories@github.com	https://pkg.go.dev/github.com/syncthing/syncthing	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/syncthing/syncthing/releases/tag/v1.15.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://pkg.go.dev/github.com/syncthing/syncthing	Product, Third Party Advisory

Impacted products

	Vendor	Product	Version
	syncthing	syncthing	Version: < 1.15.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:16.158Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "syncthing",
          "vendor": "syncthing",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-06T20:00:15",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
        }
      ],
      "source": {
        "advisory": "GHSA-x462-89pf-6r5h",
        "discovery": "UNKNOWN"
      },
      "title": "Crash due to malformed relay protocol message",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21404",
          "STATE": "PUBLIC",
          "TITLE": "Crash due to malformed relay protocol message"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "syncthing",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.15.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "syncthing"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h",
              "refsource": "CONFIRM",
              "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
            },
            {
              "name": "https://pkg.go.dev/github.com/syncthing/syncthing",
              "refsource": "MISC",
              "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
            },
            {
              "name": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97",
              "refsource": "MISC",
              "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
            },
            {
              "name": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0",
              "refsource": "MISC",
              "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-x462-89pf-6r5h",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21404",
    "datePublished": "2021-04-06T20:00:15",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:16.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21404\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-04-06T20:15:13.490\",\"lastModified\":\"2024-11-21T05:48:17.280\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.\"},{\"lang\":\"es\",\"value\":\"Syncthing es un programa de sincronizaci\u00f3n de archivos continua.\u0026#xa0;En Syncthing versiones anteriores a 1.15.0, el servidor de retransmisi\u00f3n \\\"strelaysrv\\\" puede causar un bloqueo y salida mediante el env\u00edo de un mensaje de retransmisi\u00f3n con un campo de longitud negativa.\u0026#xa0;De manera similar, Syncthing en s\u00ed puede presentar un fallo por la misma raz\u00f3n si recibe un mensaje malformado de un servidor de retransmisi\u00f3n malicioso al intentar unirse a la retransmisi\u00f3n.\u0026#xa0;Las uniones de retransmisiones son esencialmente aleatorias (de un subconjunto de retransmisiones de baja latencia) y Syncthing se reiniciar\u00e1 por defecto cuando se bloquee, momento en el que es probable que elija otra retransmisi\u00f3n no maliciosa.\u0026#xa0;Este fallo es corregido en la versi\u00f3n 1.15.0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:syncthing:syncthing:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.15.0\",\"matchCriteriaId\":\"13E0DFD1-14D6-4A2D-B98C-1C581D11E2F0\"}]}]}],\"references\":[{\"url\":\"https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/syncthing/syncthing/releases/tag/v1.15.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/github.com/syncthing/syncthing\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/syncthing/syncthing/releases/tag/v1.15.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://pkg.go.dev/github.com/syncthing/syncthing\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}"
  }
}

ghsa-x462-89pf-6r5h

Vulnerability from github

Published

2021-05-21 16:23

Modified

2021-05-20 20:52

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Crash due to malformed relay protocol message

Details

Impact

syncthing can be caused to crash and exit if sent a malformed relay protocol message message with a negative length field.
The relay server strelaysrv can be caused to crash and exit if sent a malformed relay protocol message with a negative length field.

At no point is sensitive data exposed or liable to be altered due to this issue. Sensitive data is never exposed to relay operators. Syncthing itself would need to be lured to connect to a malicious relay server in order to exploit the issue.

Patches

Fixed in version 1.15.0.

Workarounds

No known workaround for strelaysrv.
syncthing can be configured to not use relays, or to only use specific, trusted relays. If Syncthing is used in a closed environment or with relaying disabled, i.e., it does not communicate with unknown relays, Syncthing is not vulnerable.

For more information

If you have any questions or comments about this advisory, please discuss it on the forum.

Thanks to Wojciech Paciorek for discovering and reporting this issue.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/syncthing/syncthing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T20:52:26Z",
    "nvd_published_at": "2021-04-06T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\n1. `syncthing` can be caused to crash and exit if sent a malformed relay\n   protocol message message with a negative length field.\n\n2. The relay server `strelaysrv` can be caused to crash and exit if sent\n   a malformed relay protocol message with a negative length field.\n\nAt no point is sensitive data exposed or liable to be altered due to this\nissue. Sensitive data is never exposed to relay operators. Syncthing itself\nwould need to be lured to connect to a malicious relay server in order to\nexploit the issue.\n\n### Patches\n\nFixed in version 1.15.0.\n\n### Workarounds\n\n1. No known workaround for `strelaysrv`.\n\n2. `syncthing` can be configured to not use relays, or to only use specific,\n   trusted relays. If Syncthing is used in a closed environment or with\n   relaying disabled, i.e., it does not communicate with unknown relays,\n   Syncthing is not vulnerable.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please discuss it [on the forum](https://forum.syncthing.net/).\n\nThanks to Wojciech Paciorek for discovering and reporting this issue.",
  "id": "GHSA-x462-89pf-6r5h",
  "modified": "2021-05-20T20:52:26Z",
  "published": "2021-05-21T16:23:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21404"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crash due to malformed relay protocol message"
}

gsd-2021-21404

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2021-21404

Aliases

CVE-2021-21404

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21404",
    "description": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
    "id": "GSD-2021-21404",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-21404.html",
      "https://security.archlinux.org/CVE-2021-21404"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21404"
      ],
      "details": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
      "id": "GSD-2021-21404",
      "modified": "2023-12-13T01:23:10.994733Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21404",
        "STATE": "PUBLIC",
        "TITLE": "Crash due to malformed relay protocol message"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "syncthing",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.15.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "syncthing"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-20 Improper Input Validation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h",
            "refsource": "CONFIRM",
            "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
          },
          {
            "name": "https://pkg.go.dev/github.com/syncthing/syncthing",
            "refsource": "MISC",
            "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
          },
          {
            "name": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97",
            "refsource": "MISC",
            "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
          },
          {
            "name": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0",
            "refsource": "MISC",
            "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-x462-89pf-6r5h",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.15.0",
          "affected_versions": "All versions before 1.15.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2021-05-21",
          "description": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
          "fixed_versions": [
            "1.15.0"
          ],
          "identifier": "CVE-2021-21404",
          "identifiers": [
            "GHSA-x462-89pf-6r5h",
            "CVE-2021-21404"
          ],
          "not_impacted": "All versions starting from 1.15.0",
          "package_slug": "go/github.com/syncthing/syncthing",
          "pubdate": "2021-05-21",
          "solution": "Upgrade to version 1.15.0 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21404",
            "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97",
            "https://github.com/syncthing/syncthing/releases/tag/v1.15.0",
            "https://pkg.go.dev/github.com/syncthing/syncthing",
            "https://github.com/advisories/GHSA-x462-89pf-6r5h"
          ],
          "uuid": "3611fe62-5734-446a-bfba-85df4ac45c32"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:syncthing:syncthing:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.15.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21404"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
            },
            {
              "name": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
            },
            {
              "name": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
            },
            {
              "name": "https://pkg.go.dev/github.com/syncthing/syncthing",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-04-14T18:00Z",
      "publishedDate": "2021-04-06T20:15Z"
    }
  }
}

opensuse-su-2021:0713-1

Vulnerability from csaf_opensuse

Published

2021-05-11 18:05

Modified

2021-05-11 18:05

Summary

Security update for syncthing

Notes

Title of the patch

Security update for syncthing

Description of the patch

This update for syncthing fixes the following issues: Update to 1.15.0/1.15.1 * This release fixes a vulnerability where Syncthing and the relay server can crash due to malformed relay protocol messages (CVE-2021-21404); see GHSA-x462-89pf-6r5h. (boo#1184428) * This release updates the CLI to use subcommands and adds the subcommands cli (previously standalone stcli utility) and decrypt (for offline verifying and decrypting encrypted folders). * With this release we invite everyone to test the 'untrusted (encrypted) devices' feature. You should not use it yet on important production data. Thus UI controls are hidden behind a feature flag. For more information, visit: https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470 Update to 1.14.0 * This release adds configurable device and folder defaults. * The output format of the /rest/db/browse endpoint has changed. update to 1.13.1: * This release adds configuration options for min/max connections (see https://docs.syncthing.net/advanced/option-connection-limits.html) and moves the storage of pending devices/folders from the config to the database (see https://docs.syncthing.net/dev/rest.html#cluster-endpoints). * Bugfixes * Official builds of v1.13.0 come with the Tech Ui, which is impossible to switch back from update to 1.12.1: * Invalid names are allowed and 'auto accepted' in folder root path on Windows * Sometimes indexes for some folders aren't sent after starting Syncthing * [Untrusted] Remove Unexpected Items leaves things behind * Wrong theme on selection * Quic spamming address resolving * Deleted locally changed items still shown as locally changed * Allow specifying remote expected web UI port which would generate a href somewhere * Ignore fsync errors when saving ignore files Update to 1.12.0 - The 1.12.0 release - adds a new config REST API. - The 1.11.0 release - adds the sendFullIndexOnUpgrade option to control whether all index data is resent when an upgrade is detected, equivalent to starting Syncthing with --reset-deltas. This (sendFullIndexOnUpgrade=true) used to be the behavior in previous versions, but is mainly useful as a troubleshooting step and causes high database churn. The new default is false. - Update to 1.10.0 - This release adds the config option announceLANAddresses to enable (the default) or disable announcing private (RFC1918) LAN IP addresses to global discovery. - Update to 1.9.0 - This release adds the advanced folder option caseSensitiveFS (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to disable the new safe handling of case insensitive filesystems. - Fix Leap build by requiring at least Go 1.14 - Prevent the build system to download Go modules which would require an internet connection during the build - Update to 1.8.0 - The 1.8.0 release - adds the experimental copyRangeMethod config on folders, for use on filesystems with copy-on-write support. Please see https://docs.syncthing.net/advanced/folder-copyrangemethod.html for details. - adds TCP hole punching, used to establish high performance TCP connections in certain NAT scenarios where only relay or QUIC connections could be used previously. - adds a configuration to file versioning for how often to run cleanup. This defaults to once an hour, but is configurable from very frequently to never. - The 1.7.0 release performs a database migration to optimize for clusters with many devices. - The 1.6.0 release performs a database schema migration, and adds the BlockPullOrder, DisableFsync and MaxConcurrentWrites folder options to the configuration schema. The LocalChangeDetected event no longer has the action set to added for new files, instead showing modified for all local file changes. - The 1.5.0 release changes the default location for the index database under some circumstances. Two new flags can also be used to affect the location of the configuration (-config) and database (-data) separately. The old -home flag is equivalent to setting both of these to the same directory. When no flags are given the following logic is used to determine the data location: If a database exists in the old default location, that location is still used. This means existing installations are not affected by this change. If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing. If ~/.local/share/syncthing exists, use that location. Use the old default location. - Update to 1.4.2: - Bugfixes: - #6499: panic: nil pointer dereference in usage reporting - Other issues: - revert a change to the upgrade code that puts unnecessary load on the upgrade server - Update to 1.4.1: - Bugfixes: - #6289: 'general SOCKS server failure' since syncthing 1.3.3 - #6365: Connection errors not shown in GUI - #6415: Loop in database migration 'folder db index missing' after upgrade to v1.4.0 - #6422: 'fatal error: runtime: out of memory' during database migration on QNAP NAS - Enhancements: - #5380: gui: Display folder/device name in modal - #5979: UNIX socket permission bits - #6384: Do auto upgrades early and synchronously on startup - Other issues: - #6249: Remove unnecessary RAM/CPU stats from GUI - Update to 1.4.0: - Important changes: - New config option maxConcurrentIncomingRequestKiB - Replace config option maxConcurrentScans with maxFolderConcurrency - Improve database schema - Bugfixes: - #4774: Doesn't react to Ctrl-C when run in a subshell with -no-restart (Linux) - #5952: panic: Should never get a deleted file as needed when we don't have it - #6281: Progress emitter uses 100% CPU - #6300: lib/ignore: panic: runtime error: index out of range [0] with length 0 - #6304: Syncing issues, database missing sequence entries - #6335: Crash or hard shutdown can case database inconsistency, out of sync - Enhancements: - #5786: Consider always running the monitor process - #5898: Database performance: reduce duplication - #5914: Limit folder concurrency to improve performance - #6302: Avoid thundering herd issue by global request limiter - Change the Go build requirement to a more flexible 'golang(API) >= 1.12'. This update was imported from the openSUSE:Leap:15.2:Update update project.

Patchnames

openSUSE-2021-713

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for syncthing",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for syncthing fixes the following issues:\n\nUpdate to 1.15.0/1.15.1\n\n  * This release fixes a vulnerability where Syncthing and the relay server\n    can crash due to malformed relay protocol messages (CVE-2021-21404); see\n    GHSA-x462-89pf-6r5h. (boo#1184428)\n  * This release updates the CLI to use subcommands and adds the subcommands\n    cli (previously standalone stcli utility) and decrypt (for offline\n    verifying and decrypting encrypted folders).\n  * With this release we invite everyone to test the \u0027untrusted (encrypted)\n    devices\u0027 feature. You should not use it yet on important production\n    data. Thus UI controls are hidden behind a feature flag. For more\n    information, visit:\n    https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470 \n\nUpdate to 1.14.0\n\n  * This release adds configurable device and folder defaults.\n  * The output format of the /rest/db/browse endpoint has changed. \n\nupdate to 1.13.1:\n\n  * This release adds configuration options for min/max connections (see\n    https://docs.syncthing.net/advanced/option-connection-limits.html) and\n    moves the storage of pending devices/folders from the config to the\n    database (see https://docs.syncthing.net/dev/rest.html#cluster-endpoints).\n  * Bugfixes\n  * Official builds of v1.13.0 come with the Tech Ui, which is impossible to\n    switch back from\n\nupdate to 1.12.1:\n\n  * Invalid names are allowed and \u0027auto accepted\u0027 in folder root path on Windows\n  * Sometimes indexes for some folders aren\u0027t sent after starting Syncthing\n  * [Untrusted] Remove Unexpected Items leaves things behind\n  * Wrong theme on selection\n  * Quic spamming address resolving\n  * Deleted locally changed items still shown as locally changed\n  * Allow specifying remote expected web UI port which would generate a href somewhere\n  * Ignore fsync errors when saving ignore files \n\nUpdate to 1.12.0\n\n  - The 1.12.0 release\n    - adds a new config REST API.\n  - The 1.11.0 release\n    - adds the sendFullIndexOnUpgrade option to control whether\n      all index data is resent when an upgrade is detected, equivalent\n      to starting Syncthing with --reset-deltas. This\n      (sendFullIndexOnUpgrade=true) used to be the behavior in previous\n      versions, but is mainly useful as a troubleshooting step and\n      causes high database churn. The new default is false.\n\n- Update to 1.10.0\n  - This release adds the config option announceLANAddresses to enable\n    (the default) or disable announcing private (RFC1918) LAN IP addresses\n    to global discovery. \n\n- Update to 1.9.0\n  - This release adds the advanced folder option caseSensitiveFS\n    (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to\n    disable the new safe handling of case insensitive filesystems. \n\n- Fix Leap build by requiring at least Go 1.14\n\n- Prevent the build system to download Go modules which would require an\n  internet connection during the build\n- Update to 1.8.0\n  - The 1.8.0 release\n    - adds the experimental copyRangeMethod config on folders, for use on\n      filesystems with copy-on-write support. Please see\n      https://docs.syncthing.net/advanced/folder-copyrangemethod.html for\n      details.\n    - adds TCP hole punching, used to establish high performance TCP\n      connections in certain NAT scenarios where only relay or QUIC\n      connections could be used previously.\n    - adds a configuration to file versioning for how often to run cleanup.\n      This defaults to once an hour, but is configurable from very\n      frequently to never.\n  - The 1.7.0 release performs a database migration to optimize for clusters\n    with many devices.\n  - The 1.6.0 release performs a database schema migration, and adds the\n    BlockPullOrder, DisableFsync and MaxConcurrentWrites folder\n    options to the configuration schema. The LocalChangeDetected event no\n    longer has the action set to added for new files, instead showing modified\n    for all local file changes.\n  - The 1.5.0 release changes the default location for the index database under\n    some circumstances. Two new flags can also be used to affect the\n    location of the configuration (-config) and database (-data)\n    separately. The old -home flag is equivalent to setting both of these\n    to the same directory. When no flags are given the following logic is\n    used to determine the data location:\n    If a database exists in the old default location, that location is\n    still used. This means existing installations are not affected by this\n    change.\n    If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing.\n    If ~/.local/share/syncthing exists, use that location.\n    Use the old default location.\n\n- Update to 1.4.2:\n  - Bugfixes:\n    - #6499: panic: nil pointer dereference in usage reporting\n  - Other issues:\n    - revert a change to the upgrade code that puts unnecessary\n      load on the upgrade server\n\n- Update to 1.4.1:\n  - Bugfixes:\n    - #6289: \u0027general SOCKS server failure\u0027 since syncthing 1.3.3\n    - #6365: Connection errors not shown in GUI\n    - #6415: Loop in database migration \u0027folder db index missing\u0027\n      after upgrade to v1.4.0\n    - #6422: \u0027fatal error: runtime: out of memory\u0027 during database\n      migration on QNAP NAS\n- Enhancements:\n    - #5380: gui: Display folder/device name in modal\n    - #5979: UNIX socket permission bits\n    - #6384: Do auto upgrades early and synchronously on startup\n- Other issues:\n    - #6249: Remove unnecessary RAM/CPU stats from GUI\n\n- Update to 1.4.0:\n  - Important changes:\n    - New config option maxConcurrentIncomingRequestKiB\n    - Replace config option maxConcurrentScans with\n      maxFolderConcurrency\n    - Improve database schema\n  - Bugfixes:\n    - #4774: Doesn\u0027t react to Ctrl-C when run in a subshell\n      with -no-restart (Linux)\n    - #5952: panic: Should never get a deleted file as needed when\n      we don\u0027t have it\n    - #6281: Progress emitter uses 100% CPU\n    - #6300: lib/ignore: panic: runtime error: index out of range\n      [0] with length 0\n    - #6304: Syncing issues, database missing sequence entries\n    - #6335: Crash or hard shutdown can case database\n      inconsistency, out of sync\n  - Enhancements:\n    - #5786: Consider always running the monitor process\n    - #5898: Database performance: reduce duplication\n    - #5914: Limit folder concurrency to improve performance\n    - #6302: Avoid thundering herd issue by global request limiter\n\n- Change the Go build requirement to a more flexible\n  \u0027golang(API) \u003e= 1.12\u0027.\n\nThis update was imported from the openSUSE:Leap:15.2:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2021-713",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0713-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2021:0713-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NVATCVHED4EFGAZ3YBJASSPIHZFG5AC7/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2021:0713-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NVATCVHED4EFGAZ3YBJASSPIHZFG5AC7/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1184428",
        "url": "https://bugzilla.suse.com/1184428"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-21404 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-21404/"
      }
    ],
    "title": "Security update for syncthing",
    "tracking": {
      "current_release_date": "2021-05-11T18:05:34Z",
      "generator": {
        "date": "2021-05-11T18:05:34Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2021:0713-1",
      "initial_release_date": "2021-05-11T18:05:34Z",
      "revision_history": [
        {
          "date": "2021-05-11T18:05:34Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.15.1-bp152.2.3.1.aarch64",
                "product": {
                  "name": "syncthing-1.15.1-bp152.2.3.1.aarch64",
                  "product_id": "syncthing-1.15.1-bp152.2.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64",
                "product": {
                  "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64",
                  "product_id": "syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.15.1-bp152.2.3.1.ppc64le",
                "product": {
                  "name": "syncthing-1.15.1-bp152.2.3.1.ppc64le",
                  "product_id": "syncthing-1.15.1-bp152.2.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le",
                "product": {
                  "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le",
                  "product_id": "syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.15.1-bp152.2.3.1.s390x",
                "product": {
                  "name": "syncthing-1.15.1-bp152.2.3.1.s390x",
                  "product_id": "syncthing-1.15.1-bp152.2.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x",
                "product": {
                  "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x",
                  "product_id": "syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.15.1-bp152.2.3.1.x86_64",
                "product": {
                  "name": "syncthing-1.15.1-bp152.2.3.1.x86_64",
                  "product_id": "syncthing-1.15.1-bp152.2.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64",
                "product": {
                  "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64",
                  "product_id": "syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP2",
                "product": {
                  "name": "SUSE Package Hub 15 SP2",
                  "product_id": "SUSE Package Hub 15 SP2"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.15.1-bp152.2.3.1.aarch64 as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.aarch64"
        },
        "product_reference": "syncthing-1.15.1-bp152.2.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.15.1-bp152.2.3.1.ppc64le as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.ppc64le"
        },
        "product_reference": "syncthing-1.15.1-bp152.2.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.15.1-bp152.2.3.1.s390x as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.s390x"
        },
        "product_reference": "syncthing-1.15.1-bp152.2.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.15.1-bp152.2.3.1.x86_64 as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.x86_64"
        },
        "product_reference": "syncthing-1.15.1-bp152.2.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64 as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64"
        },
        "product_reference": "syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le"
        },
        "product_reference": "syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x"
        },
        "product_reference": "syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64 as component of SUSE Package Hub 15 SP2",
          "product_id": "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64"
        },
        "product_reference": "syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-21404",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-21404"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.aarch64",
          "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.ppc64le",
          "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.s390x",
          "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.x86_64",
          "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64",
          "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le",
          "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x",
          "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-21404",
          "url": "https://www.suse.com/security/cve/CVE-2021-21404"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1184428 for CVE-2021-21404",
          "url": "https://bugzilla.suse.com/1184428"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.aarch64",
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.s390x",
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.x86_64",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.aarch64",
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.s390x",
            "SUSE Package Hub 15 SP2:syncthing-1.15.1-bp152.2.3.1.x86_64",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.aarch64",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.ppc64le",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.s390x",
            "SUSE Package Hub 15 SP2:syncthing-relaysrv-1.15.1-bp152.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-05-11T18:05:34Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-21404"
    }
  ]
}

opensuse-su-2024:11417-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

syncthing-1.18.2-2.1 on GA media

Notes

Title of the patch

syncthing-1.18.2-2.1 on GA media

Description of the patch

These are all security issues fixed in the syncthing-1.18.2-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11417

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "syncthing-1.18.2-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the syncthing-1.18.2-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11417",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11417-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-21404 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-21404/"
      }
    ],
    "title": "syncthing-1.18.2-2.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11417-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.18.2-2.1.aarch64",
                "product": {
                  "name": "syncthing-1.18.2-2.1.aarch64",
                  "product_id": "syncthing-1.18.2-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.18.2-2.1.aarch64",
                "product": {
                  "name": "syncthing-relaysrv-1.18.2-2.1.aarch64",
                  "product_id": "syncthing-relaysrv-1.18.2-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.18.2-2.1.ppc64le",
                "product": {
                  "name": "syncthing-1.18.2-2.1.ppc64le",
                  "product_id": "syncthing-1.18.2-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.18.2-2.1.ppc64le",
                "product": {
                  "name": "syncthing-relaysrv-1.18.2-2.1.ppc64le",
                  "product_id": "syncthing-relaysrv-1.18.2-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.18.2-2.1.s390x",
                "product": {
                  "name": "syncthing-1.18.2-2.1.s390x",
                  "product_id": "syncthing-1.18.2-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.18.2-2.1.s390x",
                "product": {
                  "name": "syncthing-relaysrv-1.18.2-2.1.s390x",
                  "product_id": "syncthing-relaysrv-1.18.2-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.18.2-2.1.x86_64",
                "product": {
                  "name": "syncthing-1.18.2-2.1.x86_64",
                  "product_id": "syncthing-1.18.2-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.18.2-2.1.x86_64",
                "product": {
                  "name": "syncthing-relaysrv-1.18.2-2.1.x86_64",
                  "product_id": "syncthing-relaysrv-1.18.2-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.18.2-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-1.18.2-2.1.aarch64"
        },
        "product_reference": "syncthing-1.18.2-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.18.2-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-1.18.2-2.1.ppc64le"
        },
        "product_reference": "syncthing-1.18.2-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.18.2-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-1.18.2-2.1.s390x"
        },
        "product_reference": "syncthing-1.18.2-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.18.2-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-1.18.2-2.1.x86_64"
        },
        "product_reference": "syncthing-1.18.2-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.18.2-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.aarch64"
        },
        "product_reference": "syncthing-relaysrv-1.18.2-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.18.2-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.ppc64le"
        },
        "product_reference": "syncthing-relaysrv-1.18.2-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.18.2-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.s390x"
        },
        "product_reference": "syncthing-relaysrv-1.18.2-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.18.2-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.x86_64"
        },
        "product_reference": "syncthing-relaysrv-1.18.2-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-21404",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-21404"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:syncthing-1.18.2-2.1.aarch64",
          "openSUSE Tumbleweed:syncthing-1.18.2-2.1.ppc64le",
          "openSUSE Tumbleweed:syncthing-1.18.2-2.1.s390x",
          "openSUSE Tumbleweed:syncthing-1.18.2-2.1.x86_64",
          "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.aarch64",
          "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.ppc64le",
          "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.s390x",
          "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-21404",
          "url": "https://www.suse.com/security/cve/CVE-2021-21404"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1184428 for CVE-2021-21404",
          "url": "https://bugzilla.suse.com/1184428"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.aarch64",
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.ppc64le",
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.s390x",
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.x86_64",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.aarch64",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.ppc64le",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.s390x",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.aarch64",
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.ppc64le",
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.s390x",
            "openSUSE Tumbleweed:syncthing-1.18.2-2.1.x86_64",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.aarch64",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.ppc64le",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.s390x",
            "openSUSE Tumbleweed:syncthing-relaysrv-1.18.2-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-21404"
    }
  ]
}

opensuse-su-2021:0688-1

Vulnerability from csaf_opensuse

Published

2021-05-08 12:05

Modified

2021-05-08 12:05

Summary

Security update for syncthing

Notes

Title of the patch

Security update for syncthing

Description of the patch

Patchnames

openSUSE-2021-688

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for syncthing",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for syncthing fixes the following issues:\n\nUpdate to 1.15.0/1.15.1\n\n  * This release fixes a vulnerability where Syncthing and the relay server\n    can crash due to malformed relay protocol messages (CVE-2021-21404); see\n    GHSA-x462-89pf-6r5h. (boo#1184428)\n  * This release updates the CLI to use subcommands and adds the subcommands\n    cli (previously standalone stcli utility) and decrypt (for offline\n    verifying and decrypting encrypted folders).\n  * With this release we invite everyone to test the \u0027untrusted (encrypted)\n    devices\u0027 feature. You should not use it yet on important production\n    data. Thus UI controls are hidden behind a feature flag. For more\n    information, visit:\n    https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470 \n\nUpdate to 1.14.0\n\n  * This release adds configurable device and folder defaults.\n  * The output format of the /rest/db/browse endpoint has changed. \n\nupdate to 1.13.1:\n\n  * This release adds configuration options for min/max connections (see\n    https://docs.syncthing.net/advanced/option-connection-limits.html) and\n    moves the storage of pending devices/folders from the config to the\n    database (see https://docs.syncthing.net/dev/rest.html#cluster-endpoints).\n  * Bugfixes\n  * Official builds of v1.13.0 come with the Tech Ui, which is impossible to\n    switch back from\n\nupdate to 1.12.1:\n\n  * Invalid names are allowed and \u0027auto accepted\u0027 in folder root path on Windows\n  * Sometimes indexes for some folders aren\u0027t sent after starting Syncthing\n  * [Untrusted] Remove Unexpected Items leaves things behind\n  * Wrong theme on selection\n  * Quic spamming address resolving\n  * Deleted locally changed items still shown as locally changed\n  * Allow specifying remote expected web UI port which would generate a href somewhere\n  * Ignore fsync errors when saving ignore files \n\nUpdate to 1.12.0\n\n  - The 1.12.0 release\n    - adds a new config REST API.\n  - The 1.11.0 release\n    - adds the sendFullIndexOnUpgrade option to control whether\n      all index data is resent when an upgrade is detected, equivalent\n      to starting Syncthing with --reset-deltas. This\n      (sendFullIndexOnUpgrade=true) used to be the behavior in previous\n      versions, but is mainly useful as a troubleshooting step and\n      causes high database churn. The new default is false.\n\n- Update to 1.10.0\n  - This release adds the config option announceLANAddresses to enable\n    (the default) or disable announcing private (RFC1918) LAN IP addresses\n    to global discovery. \n\n- Update to 1.9.0\n  - This release adds the advanced folder option caseSensitiveFS\n    (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to\n    disable the new safe handling of case insensitive filesystems. \n\n- Fix Leap build by requiring at least Go 1.14\n\n- Prevent the build system to download Go modules which would require an\n  internet connection during the build\n- Update to 1.8.0\n  - The 1.8.0 release\n    - adds the experimental copyRangeMethod config on folders, for use on\n      filesystems with copy-on-write support. Please see\n      https://docs.syncthing.net/advanced/folder-copyrangemethod.html for\n      details.\n    - adds TCP hole punching, used to establish high performance TCP\n      connections in certain NAT scenarios where only relay or QUIC\n      connections could be used previously.\n    - adds a configuration to file versioning for how often to run cleanup.\n      This defaults to once an hour, but is configurable from very\n      frequently to never.\n  - The 1.7.0 release performs a database migration to optimize for clusters\n    with many devices.\n  - The 1.6.0 release performs a database schema migration, and adds the\n    BlockPullOrder, DisableFsync and MaxConcurrentWrites folder\n    options to the configuration schema. The LocalChangeDetected event no\n    longer has the action set to added for new files, instead showing modified\n    for all local file changes.\n  - The 1.5.0 release changes the default location for the index database under\n    some circumstances. Two new flags can also be used to affect the\n    location of the configuration (-config) and database (-data)\n    separately. The old -home flag is equivalent to setting both of these\n    to the same directory. When no flags are given the following logic is\n    used to determine the data location:\n    If a database exists in the old default location, that location is\n    still used. This means existing installations are not affected by this\n    change.\n    If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing.\n    If ~/.local/share/syncthing exists, use that location.\n    Use the old default location.\n\n- Update to 1.4.2:\n  - Bugfixes:\n    - #6499: panic: nil pointer dereference in usage reporting\n  - Other issues:\n    - revert a change to the upgrade code that puts unnecessary\n      load on the upgrade server\n\n- Update to 1.4.1:\n  - Bugfixes:\n    - #6289: \u0027general SOCKS server failure\u0027 since syncthing 1.3.3\n    - #6365: Connection errors not shown in GUI\n    - #6415: Loop in database migration \u0027folder db index missing\u0027\n      after upgrade to v1.4.0\n    - #6422: \u0027fatal error: runtime: out of memory\u0027 during database\n      migration on QNAP NAS\n- Enhancements:\n    - #5380: gui: Display folder/device name in modal\n    - #5979: UNIX socket permission bits\n    - #6384: Do auto upgrades early and synchronously on startup\n- Other issues:\n    - #6249: Remove unnecessary RAM/CPU stats from GUI\n\n- Update to 1.4.0:\n  - Important changes:\n    - New config option maxConcurrentIncomingRequestKiB\n    - Replace config option maxConcurrentScans with\n      maxFolderConcurrency\n    - Improve database schema\n  - Bugfixes:\n    - #4774: Doesn\u0027t react to Ctrl-C when run in a subshell\n      with -no-restart (Linux)\n    - #5952: panic: Should never get a deleted file as needed when\n      we don\u0027t have it\n    - #6281: Progress emitter uses 100% CPU\n    - #6300: lib/ignore: panic: runtime error: index out of range\n      [0] with length 0\n    - #6304: Syncing issues, database missing sequence entries\n    - #6335: Crash or hard shutdown can case database\n      inconsistency, out of sync\n  - Enhancements:\n    - #5786: Consider always running the monitor process\n    - #5898: Database performance: reduce duplication\n    - #5914: Limit folder concurrency to improve performance\n    - #6302: Avoid thundering herd issue by global request limiter\n\n- Change the Go build requirement to a more flexible\n  \u0027golang(API) \u003e= 1.12\u0027.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2021-688",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0688-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2021:0688-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIFNGMDOIZ3DQYLTSKXQFICFKTHWOLKM/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2021:0688-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIFNGMDOIZ3DQYLTSKXQFICFKTHWOLKM/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1184428",
        "url": "https://bugzilla.suse.com/1184428"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-21404 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-21404/"
      }
    ],
    "title": "Security update for syncthing",
    "tracking": {
      "current_release_date": "2021-05-08T12:05:55Z",
      "generator": {
        "date": "2021-05-08T12:05:55Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2021:0688-1",
      "initial_release_date": "2021-05-08T12:05:55Z",
      "revision_history": [
        {
          "date": "2021-05-08T12:05:55Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "syncthing-1.15.1-lp152.2.3.1.x86_64",
                "product": {
                  "name": "syncthing-1.15.1-lp152.2.3.1.x86_64",
                  "product_id": "syncthing-1.15.1-lp152.2.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64",
                "product": {
                  "name": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64",
                  "product_id": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.2",
                "product": {
                  "name": "openSUSE Leap 15.2",
                  "product_id": "openSUSE Leap 15.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-1.15.1-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64"
        },
        "product_reference": "syncthing-1.15.1-lp152.2.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
          "product_id": "openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
        },
        "product_reference": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-21404",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-21404"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64",
          "openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-21404",
          "url": "https://www.suse.com/security/cve/CVE-2021-21404"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1184428 for CVE-2021-21404",
          "url": "https://bugzilla.suse.com/1184428"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64",
            "openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2021-05-08T12:05:55Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-21404"
    }
  ]
}

fkie_cve-2021-21404

Vulnerability from fkie_nvd

Published

2021-04-06 20:15

Modified

2024-11-21 05:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/syncthing/syncthing/releases/tag/v1.15.0	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h	Third Party Advisory
security-advisories@github.com	https://pkg.go.dev/github.com/syncthing/syncthing	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/syncthing/syncthing/releases/tag/v1.15.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://pkg.go.dev/github.com/syncthing/syncthing	Product, Third Party Advisory

Impacted products

	Vendor	Product	Version
	syncthing	syncthing	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:syncthing:syncthing:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "13E0DFD1-14D6-4A2D-B98C-1C581D11E2F0",
              "versionEndExcluding": "1.15.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0."
    },
    {
      "lang": "es",
      "value": "Syncthing es un programa de sincronizaci\u00f3n de archivos continua.\u0026#xa0;En Syncthing versiones anteriores a 1.15.0, el servidor de retransmisi\u00f3n \"strelaysrv\" puede causar un bloqueo y salida mediante el env\u00edo de un mensaje de retransmisi\u00f3n con un campo de longitud negativa.\u0026#xa0;De manera similar, Syncthing en s\u00ed puede presentar un fallo por la misma raz\u00f3n si recibe un mensaje malformado de un servidor de retransmisi\u00f3n malicioso al intentar unirse a la retransmisi\u00f3n.\u0026#xa0;Las uniones de retransmisiones son esencialmente aleatorias (de un subconjunto de retransmisiones de baja latencia) y Syncthing se reiniciar\u00e1 por defecto cuando se bloquee, momento en el que es probable que elija otra retransmisi\u00f3n no maliciosa.\u0026#xa0;Este fallo es corregido en la versi\u00f3n 1.15.0"
    }
  ],
  "id": "CVE-2021-21404",
  "lastModified": "2024-11-21T05:48:17.280",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-04-06T20:15:13.490",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/syncthing/syncthing/releases/tag/v1.15.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://pkg.go.dev/github.com/syncthing/syncthing"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2021-21404 (GCVE-0-2021-21404)

Vulnerability from cvelistv5

ghsa-x462-89pf-6r5h

Vulnerability from github

Impact

Patches

Workarounds

For more information

gsd-2021-21404

Vulnerability from gsd

opensuse-su-2021:0713-1

Vulnerability from csaf_opensuse

opensuse-su-2024:11417-1

Vulnerability from csaf_opensuse

opensuse-su-2021:0688-1

Vulnerability from csaf_opensuse

fkie_cve-2021-21404

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature