opensuse-su-2021:0688-1
Vulnerability from csaf_opensuse
Published
2021-05-08 12:05
Modified
2021-05-08 12:05
Summary
Security update for syncthing
Notes
Title of the patch
Security update for syncthing
Description of the patch
This update for syncthing fixes the following issues:
Update to 1.15.0/1.15.1
* This release fixes a vulnerability where Syncthing and the relay server
can crash due to malformed relay protocol messages (CVE-2021-21404); see
GHSA-x462-89pf-6r5h. (boo#1184428)
* This release updates the CLI to use subcommands and adds the subcommands
cli (previously standalone stcli utility) and decrypt (for offline
verifying and decrypting encrypted folders).
* With this release we invite everyone to test the 'untrusted (encrypted)
devices' feature. You should not use it yet on important production
data. Thus UI controls are hidden behind a feature flag. For more
information, visit:
https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470
Update to 1.14.0
* This release adds configurable device and folder defaults.
* The output format of the /rest/db/browse endpoint has changed.
update to 1.13.1:
* This release adds configuration options for min/max connections (see
https://docs.syncthing.net/advanced/option-connection-limits.html) and
moves the storage of pending devices/folders from the config to the
database (see https://docs.syncthing.net/dev/rest.html#cluster-endpoints).
* Bugfixes
* Official builds of v1.13.0 come with the Tech Ui, which is impossible to
switch back from
update to 1.12.1:
* Invalid names are allowed and 'auto accepted' in folder root path on Windows
* Sometimes indexes for some folders aren't sent after starting Syncthing
* [Untrusted] Remove Unexpected Items leaves things behind
* Wrong theme on selection
* Quic spamming address resolving
* Deleted locally changed items still shown as locally changed
* Allow specifying remote expected web UI port which would generate a href somewhere
* Ignore fsync errors when saving ignore files
Update to 1.12.0
- The 1.12.0 release
- adds a new config REST API.
- The 1.11.0 release
- adds the sendFullIndexOnUpgrade option to control whether
all index data is resent when an upgrade is detected, equivalent
to starting Syncthing with --reset-deltas. This
(sendFullIndexOnUpgrade=true) used to be the behavior in previous
versions, but is mainly useful as a troubleshooting step and
causes high database churn. The new default is false.
- Update to 1.10.0
- This release adds the config option announceLANAddresses to enable
(the default) or disable announcing private (RFC1918) LAN IP addresses
to global discovery.
- Update to 1.9.0
- This release adds the advanced folder option caseSensitiveFS
(https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to
disable the new safe handling of case insensitive filesystems.
- Fix Leap build by requiring at least Go 1.14
- Prevent the build system to download Go modules which would require an
internet connection during the build
- Update to 1.8.0
- The 1.8.0 release
- adds the experimental copyRangeMethod config on folders, for use on
filesystems with copy-on-write support. Please see
https://docs.syncthing.net/advanced/folder-copyrangemethod.html for
details.
- adds TCP hole punching, used to establish high performance TCP
connections in certain NAT scenarios where only relay or QUIC
connections could be used previously.
- adds a configuration to file versioning for how often to run cleanup.
This defaults to once an hour, but is configurable from very
frequently to never.
- The 1.7.0 release performs a database migration to optimize for clusters
with many devices.
- The 1.6.0 release performs a database schema migration, and adds the
BlockPullOrder, DisableFsync and MaxConcurrentWrites folder
options to the configuration schema. The LocalChangeDetected event no
longer has the action set to added for new files, instead showing modified
for all local file changes.
- The 1.5.0 release changes the default location for the index database under
some circumstances. Two new flags can also be used to affect the
location of the configuration (-config) and database (-data)
separately. The old -home flag is equivalent to setting both of these
to the same directory. When no flags are given the following logic is
used to determine the data location:
If a database exists in the old default location, that location is
still used. This means existing installations are not affected by this
change.
If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing.
If ~/.local/share/syncthing exists, use that location.
Use the old default location.
- Update to 1.4.2:
- Bugfixes:
- #6499: panic: nil pointer dereference in usage reporting
- Other issues:
- revert a change to the upgrade code that puts unnecessary
load on the upgrade server
- Update to 1.4.1:
- Bugfixes:
- #6289: 'general SOCKS server failure' since syncthing 1.3.3
- #6365: Connection errors not shown in GUI
- #6415: Loop in database migration 'folder db index missing'
after upgrade to v1.4.0
- #6422: 'fatal error: runtime: out of memory' during database
migration on QNAP NAS
- Enhancements:
- #5380: gui: Display folder/device name in modal
- #5979: UNIX socket permission bits
- #6384: Do auto upgrades early and synchronously on startup
- Other issues:
- #6249: Remove unnecessary RAM/CPU stats from GUI
- Update to 1.4.0:
- Important changes:
- New config option maxConcurrentIncomingRequestKiB
- Replace config option maxConcurrentScans with
maxFolderConcurrency
- Improve database schema
- Bugfixes:
- #4774: Doesn't react to Ctrl-C when run in a subshell
with -no-restart (Linux)
- #5952: panic: Should never get a deleted file as needed when
we don't have it
- #6281: Progress emitter uses 100% CPU
- #6300: lib/ignore: panic: runtime error: index out of range
[0] with length 0
- #6304: Syncing issues, database missing sequence entries
- #6335: Crash or hard shutdown can case database
inconsistency, out of sync
- Enhancements:
- #5786: Consider always running the monitor process
- #5898: Database performance: reduce duplication
- #5914: Limit folder concurrency to improve performance
- #6302: Avoid thundering herd issue by global request limiter
- Change the Go build requirement to a more flexible
'golang(API) >= 1.12'.
Patchnames
openSUSE-2021-688
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for syncthing",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for syncthing fixes the following issues:\n\nUpdate to 1.15.0/1.15.1\n\n * This release fixes a vulnerability where Syncthing and the relay server\n can crash due to malformed relay protocol messages (CVE-2021-21404); see\n GHSA-x462-89pf-6r5h. (boo#1184428)\n * This release updates the CLI to use subcommands and adds the subcommands\n cli (previously standalone stcli utility) and decrypt (for offline\n verifying and decrypting encrypted folders).\n * With this release we invite everyone to test the \u0027untrusted (encrypted)\n devices\u0027 feature. You should not use it yet on important production\n data. Thus UI controls are hidden behind a feature flag. For more\n information, visit:\n https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470 \n\nUpdate to 1.14.0\n\n * This release adds configurable device and folder defaults.\n * The output format of the /rest/db/browse endpoint has changed. \n\nupdate to 1.13.1:\n\n * This release adds configuration options for min/max connections (see\n https://docs.syncthing.net/advanced/option-connection-limits.html) and\n moves the storage of pending devices/folders from the config to the\n database (see https://docs.syncthing.net/dev/rest.html#cluster-endpoints).\n * Bugfixes\n * Official builds of v1.13.0 come with the Tech Ui, which is impossible to\n switch back from\n\nupdate to 1.12.1:\n\n * Invalid names are allowed and \u0027auto accepted\u0027 in folder root path on Windows\n * Sometimes indexes for some folders aren\u0027t sent after starting Syncthing\n * [Untrusted] Remove Unexpected Items leaves things behind\n * Wrong theme on selection\n * Quic spamming address resolving\n * Deleted locally changed items still shown as locally changed\n * Allow specifying remote expected web UI port which would generate a href somewhere\n * Ignore fsync errors when saving ignore files \n\nUpdate to 1.12.0\n\n - The 1.12.0 release\n - adds a new config REST API.\n - The 1.11.0 release\n - adds the sendFullIndexOnUpgrade option to control whether\n all index data is resent when an upgrade is detected, equivalent\n to starting Syncthing with --reset-deltas. This\n (sendFullIndexOnUpgrade=true) used to be the behavior in previous\n versions, but is mainly useful as a troubleshooting step and\n causes high database churn. The new default is false.\n\n- Update to 1.10.0\n - This release adds the config option announceLANAddresses to enable\n (the default) or disable announcing private (RFC1918) LAN IP addresses\n to global discovery. \n\n- Update to 1.9.0\n - This release adds the advanced folder option caseSensitiveFS\n (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to\n disable the new safe handling of case insensitive filesystems. \n\n- Fix Leap build by requiring at least Go 1.14\n\n- Prevent the build system to download Go modules which would require an\n internet connection during the build\n- Update to 1.8.0\n - The 1.8.0 release\n - adds the experimental copyRangeMethod config on folders, for use on\n filesystems with copy-on-write support. Please see\n https://docs.syncthing.net/advanced/folder-copyrangemethod.html for\n details.\n - adds TCP hole punching, used to establish high performance TCP\n connections in certain NAT scenarios where only relay or QUIC\n connections could be used previously.\n - adds a configuration to file versioning for how often to run cleanup.\n This defaults to once an hour, but is configurable from very\n frequently to never.\n - The 1.7.0 release performs a database migration to optimize for clusters\n with many devices.\n - The 1.6.0 release performs a database schema migration, and adds the\n BlockPullOrder, DisableFsync and MaxConcurrentWrites folder\n options to the configuration schema. The LocalChangeDetected event no\n longer has the action set to added for new files, instead showing modified\n for all local file changes.\n - The 1.5.0 release changes the default location for the index database under\n some circumstances. Two new flags can also be used to affect the\n location of the configuration (-config) and database (-data)\n separately. The old -home flag is equivalent to setting both of these\n to the same directory. When no flags are given the following logic is\n used to determine the data location:\n If a database exists in the old default location, that location is\n still used. This means existing installations are not affected by this\n change.\n If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing.\n If ~/.local/share/syncthing exists, use that location.\n Use the old default location.\n\n- Update to 1.4.2:\n - Bugfixes:\n - #6499: panic: nil pointer dereference in usage reporting\n - Other issues:\n - revert a change to the upgrade code that puts unnecessary\n load on the upgrade server\n\n- Update to 1.4.1:\n - Bugfixes:\n - #6289: \u0027general SOCKS server failure\u0027 since syncthing 1.3.3\n - #6365: Connection errors not shown in GUI\n - #6415: Loop in database migration \u0027folder db index missing\u0027\n after upgrade to v1.4.0\n - #6422: \u0027fatal error: runtime: out of memory\u0027 during database\n migration on QNAP NAS\n- Enhancements:\n - #5380: gui: Display folder/device name in modal\n - #5979: UNIX socket permission bits\n - #6384: Do auto upgrades early and synchronously on startup\n- Other issues:\n - #6249: Remove unnecessary RAM/CPU stats from GUI\n\n- Update to 1.4.0:\n - Important changes:\n - New config option maxConcurrentIncomingRequestKiB\n - Replace config option maxConcurrentScans with\n maxFolderConcurrency\n - Improve database schema\n - Bugfixes:\n - #4774: Doesn\u0027t react to Ctrl-C when run in a subshell\n with -no-restart (Linux)\n - #5952: panic: Should never get a deleted file as needed when\n we don\u0027t have it\n - #6281: Progress emitter uses 100% CPU\n - #6300: lib/ignore: panic: runtime error: index out of range\n [0] with length 0\n - #6304: Syncing issues, database missing sequence entries\n - #6335: Crash or hard shutdown can case database\n inconsistency, out of sync\n - Enhancements:\n - #5786: Consider always running the monitor process\n - #5898: Database performance: reduce duplication\n - #5914: Limit folder concurrency to improve performance\n - #6302: Avoid thundering herd issue by global request limiter\n\n- Change the Go build requirement to a more flexible\n \u0027golang(API) \u003e= 1.12\u0027.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-688",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0688-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0688-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIFNGMDOIZ3DQYLTSKXQFICFKTHWOLKM/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0688-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UIFNGMDOIZ3DQYLTSKXQFICFKTHWOLKM/"
},
{
"category": "self",
"summary": "SUSE Bug 1184428",
"url": "https://bugzilla.suse.com/1184428"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21404 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21404/"
}
],
"title": "Security update for syncthing",
"tracking": {
"current_release_date": "2021-05-08T12:05:55Z",
"generator": {
"date": "2021-05-08T12:05:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0688-1",
"initial_release_date": "2021-05-08T12:05:55Z",
"revision_history": [
{
"date": "2021-05-08T12:05:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "syncthing-1.15.1-lp152.2.3.1.x86_64",
"product": {
"name": "syncthing-1.15.1-lp152.2.3.1.x86_64",
"product_id": "syncthing-1.15.1-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64",
"product": {
"name": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64",
"product_id": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-1.15.1-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64"
},
"product_reference": "syncthing-1.15.1-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
},
"product_reference": "syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21404",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21404"
}
],
"notes": [
{
"category": "general",
"text": "Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it\u0027s likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21404",
"url": "https://www.suse.com/security/cve/CVE-2021-21404"
},
{
"category": "external",
"summary": "SUSE Bug 1184428 for CVE-2021-21404",
"url": "https://bugzilla.suse.com/1184428"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:syncthing-1.15.1-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:syncthing-relaysrv-1.15.1-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-05-08T12:05:55Z",
"details": "important"
}
],
"title": "CVE-2021-21404"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…