[pkg-go] Bug#986593: syncthing: CVE-2021-21404

Salvatore Bonaccorso carnil at debian.org
Wed Apr 7 20:36:01 BST 2021


Source: syncthing
Version: 1.12.1~ds1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for syncthing.

CVE-2021-21404[0]:
| Syncthing is a continuous file synchronization program. In Syncthing
| before version 1.15.0, the relay server `strelaysrv` can be caused to
| crash and exit by sending a relay message with a negative length
| field. Similarly, Syncthing itself can crash for the same reason if
| given a malformed message from a malicious relay server when
| attempting to join the relay. Relay joins are essentially random (from
| a subset of low latency relays) and Syncthing will by default restart
| when crashing, at which point it's likely to pick another non-
| malicious relay. This flaw is fixed in version 1.15.0.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-21404
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21404
[1] https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
[2] https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



More information about the Pkg-go-maintainers mailing list