[pkg-go] Bug#986593: syncthing: CVE-2021-21404
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 7 20:36:01 BST 2021
Source: syncthing
Version: 1.12.1~ds1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for syncthing.
CVE-2021-21404[0]:
| Syncthing is a continuous file synchronization program. In Syncthing
| before version 1.15.0, the relay server `strelaysrv` can be caused to
| crash and exit by sending a relay message with a negative length
| field. Similarly, Syncthing itself can crash for the same reason if
| given a malformed message from a malicious relay server when
| attempting to join the relay. Relay joins are essentially random (from
| a subset of low latency relays) and Syncthing will by default restart
| when crashing, at which point it's likely to pick another non-
| malicious relay. This flaw is fixed in version 1.15.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21404
[1] https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
[2] https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-go-maintainers
mailing list