[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47627: syncthing package is vulnerable to CVE-2021-21404
From: |
Leo Famulari |
Subject: |
bug#47627: syncthing package is vulnerable to CVE-2021-21404 |
Date: |
Tue, 6 Apr 2021 18:51:47 -0400 |
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU
Guix wrote:
> CVE-2021-21404 06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
>
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
>
> Previous discussion about updating syncthing:
> https://issues.guix.gnu.org/45476
Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.
signature.asc
Description: PGP signature