[pkg-go] Bug#991301: syncthing-relaysrv: Security issue due to CVE-2021-21404 for all versions <1.15.0

Aloïs Micard creekorful at debian.org
Sat Nov 13 22:05:08 GMT 2021

On Tue, 20 Jul 2021 11:28:12 +0200 Pierre Bernhardt <pierre at starcumulus.owl.de> wrote:
> Package: syncthing-relaysrv
> Version: <1.15.0
> Severity: normal
> Tags: newcomer
> Dear Maintainer,
> This is a copy of the text from CVE-2021-21404 because I cannot see that the
> problem is allready fixed in downstream versions:
> Syncthing is a continuous file synchronization program. In Syncthing before
> version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit
> by sending a relay message with a negative length field. Similarly, Syncthing
> itself can crash for the same reason if given a malformed message from a
> malicious relay server when attempting to join the relay. Relay joins are
> essentially random (from a subset of low latency relays) and Syncthing will by
> default restart when crashing, at which point it's likely to pick another non-
> malicious relay. This flaw is fixed in version 1.15.0.
> It is not installed on my system but of relevant security issue it should be
> fixed on all versions.


It looks like it has already been dealt with?


It hasn't been fixed in {old}oldstable tho (because DSA
has classified the bug has minor issue)


Aloïs Micard <creekorful at debian.org>

GPG: DA4A A436 9BFA E299 67CD E85B F733 E871 0859 FCD2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-go-maintainers/attachments/20211113/3fa2da24/attachment.sig>

More information about the Pkg-go-maintainers mailing list