[pkg-go] Bug#991301: syncthing-relaysrv: Security issue due to CVE-2021-21404 for all versions <1.15.0

Pierre Bernhardt pierre at starcumulus.owl.de
Tue Jul 20 10:28:12 BST 2021

Package: syncthing-relaysrv
Version: <1.15.0
Severity: normal
Tags: newcomer

Dear Maintainer,

This is a copy of the text from CVE-2021-21404 because I cannot see that the
problem is allready fixed in downstream versions:
Syncthing is a continuous file synchronization program. In Syncthing before
version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit
by sending a relay message with a negative length field. Similarly, Syncthing
itself can crash for the same reason if given a malformed message from a
malicious relay server when attempting to join the relay. Relay joins are
essentially random (from a subset of low latency relays) and Syncthing will by
default restart when crashing, at which point it's likely to pick another non-
malicious relay. This flaw is fixed in version 1.15.0.

It is not installed on my system but of relevant security issue it should be
fixed on all versions.

More information about the Pkg-go-maintainers mailing list