[pkg-go] Bug#991301: syncthing-relaysrv: Security issue due to CVE-2021-21404 for all versions <1.15.0
Aloïs Micard
creekorful at debian.org
Sat Nov 13 22:05:08 GMT 2021
On Tue, 20 Jul 2021 11:28:12 +0200 Pierre Bernhardt <pierre at starcumulus.owl.de> wrote:
> Package: syncthing-relaysrv
> Version: <1.15.0
> Severity: normal
> Tags: newcomer
>
> Dear Maintainer,
>
> This is a copy of the text from CVE-2021-21404 because I cannot see that the
> problem is allready fixed in downstream versions:
> Syncthing is a continuous file synchronization program. In Syncthing before
> version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit
> by sending a relay message with a negative length field. Similarly, Syncthing
> itself can crash for the same reason if given a malformed message from a
> malicious relay server when attempting to join the relay. Relay joins are
> essentially random (from a subset of low latency relays) and Syncthing will by
> default restart when crashing, at which point it's likely to pick another non-
> malicious relay. This flaw is fixed in version 1.15.0.
>
> It is not installed on my system but of relevant security issue it should be
> fixed on all versions.
>
>
>
>
>
Hello,
It looks like it has already been dealt with?
https://security-tracker.debian.org/tracker/CVE-2021-21404
https://bugs.debian.org/986593
It hasn't been fixed in {old}oldstable tho (because DSA
has classified the bug has minor issue)
Cheers,
--
Aloïs Micard <creekorful at debian.org>
GPG: DA4A A436 9BFA E299 67CD E85B F733 E871 0859 FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20211113/3fa2da24/attachment.sig>
More information about the Pkg-go-maintainers
mailing list