openSUSE Security Update: Security update for syncthing
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0713-1
Rating:             moderate
References:         #1184428 
Cross-References:   CVE-2021-21404
CVSS scores:
                    CVE-2021-21404 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for syncthing fixes the following issues:

   Update to 1.15.0/1.15.1

     * This release fixes a vulnerability where Syncthing and the relay
       server can crash due to malformed relay protocol messages
       (CVE-2021-21404); see GHSA-x462-89pf-6r5h. (boo#1184428)
     * This release updates the CLI to use subcommands and adds the
       subcommands cli (previously standalone stcli utility) and decrypt (for
       offline verifying and decrypting encrypted folders).
     * With this release we invite everyone to test the "untrusted
       (encrypted) devices" feature. You should not use it yet on important
       production data. Thus UI controls are hidden behind a feature flag.
       For more information, visit:
       https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470

   Update to 1.14.0

     * This release adds configurable device and folder defaults.
     * The output format of the /rest/db/browse endpoint has changed.

   update to 1.13.1:

     * This release adds configuration options for min/max connections (see
       https://docs.syncthing.net/advanced/option-connection-limits.html) and
       moves the storage of pending devices/folders from the config to the
       database (see
       https://docs.syncthing.net/dev/rest.html#cluster-endpoints).
     * Bugfixes
     * Official builds of v1.13.0 come with the Tech Ui, which is impossible
       to switch back from

   update to 1.12.1:

     * Invalid names are allowed and "auto accepted" in folder root path on
       Windows
     * Sometimes indexes for some folders aren't sent after starting Syncthing
     * [Untrusted] Remove Unexpected Items leaves things behind
     * Wrong theme on selection
     * Quic spamming address resolving
     * Deleted locally changed items still shown as locally changed
     * Allow specifying remote expected web UI port which would generate a
       href somewhere
     * Ignore fsync errors when saving ignore files

   Update to 1.12.0

     - The 1.12.0 release
       - adds a new config REST API.
     - The 1.11.0 release
       - adds the sendFullIndexOnUpgrade option to control whether all index
         data is resent when an upgrade is detected, equivalent to starting
         Syncthing with --reset-deltas. This (sendFullIndexOnUpgrade=true)
         used to be the behavior in previous versions, but is mainly useful
         as a troubleshooting step and causes high database churn. The new
         default is false.

   - Update to 1.10.0
     - This release adds the config option announceLANAddresses to enable
       (the default) or disable announcing private (RFC1918) LAN IP addresses
       to global discovery.

   - Update to 1.9.0
     - This release adds the advanced folder option caseSensitiveFS
       (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to
       disable the new safe handling of case insensitive filesystems.

   - Fix Leap build by requiring at least Go 1.14

   - Prevent the build system to download Go modules which would require an
     internet connection during the build
   - Update to 1.8.0
     - The 1.8.0 release
       - adds the experimental copyRangeMethod config on folders, for use on
         filesystems with copy-on-write support. Please see
         https://docs.syncthing.net/advanced/folder-copyrangemethod.html for
         details.
       - adds TCP hole punching, used to establish high performance TCP
         connections in certain NAT scenarios where only relay or QUIC
         connections could be used previously.
       - adds a configuration to file versioning for how often to run
         cleanup. This defaults to once an hour, but is configurable from
         very frequently to never.
     - The 1.7.0 release performs a database migration to optimize for
       clusters with many devices.
     - The 1.6.0 release performs a database schema migration, and adds the
       BlockPullOrder, DisableFsync and MaxConcurrentWrites folder
       options to the configuration schema. The LocalChangeDetected event no
        longer has the action set to added for new files, instead showing
        modified for all local file changes.
     - The 1.5.0 release changes the default location for the index database
       under some circumstances. Two new flags can also be used to affect the
       location of the configuration (-config) and database (-data)
       separately. The old -home flag is equivalent to setting both of these
       to the same directory. When no flags are given the following logic is
       used to determine the data location: If a database exists in the old
       default location, that location is still used. This means existing
       installations are not affected by this change. If $XDG_DATA_HOME is
       set, use $XDG_DATA_HOME/syncthing. If ~/.local/share/syncthing exists,
       use that location. Use the old default location.

   - Update to 1.4.2:
     - Bugfixes:
       - #6499: panic: nil pointer dereference in usage reporting
     - Other issues:
       - revert a change to the upgrade code that puts unnecessary load on
         the upgrade server

   - Update to 1.4.1:
     - Bugfixes:
       - #6289: "general SOCKS server failure" since syncthing 1.3.3
       - #6365: Connection errors not shown in GUI
       - #6415: Loop in database migration "folder db index missing" after
         upgrade to v1.4.0
       - #6422: "fatal error: runtime: out of memory" during database
         migration on QNAP NAS
   - Enhancements:
       - #5380: gui: Display folder/device name in modal
       - #5979: UNIX socket permission bits
       - #6384: Do auto upgrades early and synchronously on startup
   - Other issues:
       - #6249: Remove unnecessary RAM/CPU stats from GUI

   - Update to 1.4.0:
     - Important changes:
       - New config option maxConcurrentIncomingRequestKiB
       - Replace config option maxConcurrentScans with maxFolderConcurrency
       - Improve database schema
     - Bugfixes:
       - #4774: Doesn't react to Ctrl-C when run in a subshell with
         -no-restart (Linux)
       - #5952: panic: Should never get a deleted file as needed when we
         don't have it
       - #6281: Progress emitter uses 100% CPU
       - #6300: lib/ignore: panic: runtime error: index out of range [0] with
         length 0
       - #6304: Syncing issues, database missing sequence entries
       - #6335: Crash or hard shutdown can case database inconsistency, out
         of sync
     - Enhancements:
       - #5786: Consider always running the monitor process
       - #5898: Database performance: reduce duplication
       - #5914: Limit folder concurrency to improve performance
       - #6302: Avoid thundering herd issue by global request limiter

   - Change the Go build requirement to a more flexible "golang(API) >= 1.12".

   This update was imported from the openSUSE:Leap:15.2:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2021-713=1



Package List:

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      syncthing-1.15.1-bp152.2.3.1
      syncthing-relaysrv-1.15.1-bp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-21404.html
   https://bugzilla.suse.com/1184428

openSUSE: 2021:0713-1 moderate: syncthing

May 11, 2021
An update that fixes one vulnerability is now available

Description

This update for syncthing fixes the following issues: Update to 1.15.0/1.15.1 * This release fixes a vulnerability where Syncthing and the relay server can crash due to malformed relay protocol messages (CVE-2021-21404); see GHSA-x462-89pf-6r5h. (boo#1184428) * This release updates the CLI to use subcommands and adds the subcommands cli (previously standalone stcli utility) and decrypt (for offline verifying and decrypting encrypted folders). * With this release we invite everyone to test the "untrusted (encrypted) devices" feature. You should not use it yet on important production data. Thus UI controls are hidden behind a feature flag. For more information, visit: https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470 Update to 1.14.0 * This release adds configurable device and folder defaults. * The output format of the /rest/db/browse endpoint has changed. update to 1.13.1: * This release adds configuration options for min/max connections (see https://docs.syncthing.net/advanced/option-connection-limits.html) and moves the storage of pending devices/folders from the config to the database (see https://docs.syncthing.net/dev/rest.html#cluster-endpoints). * Bugfixes * Official builds of v1.13.0 come with the Tech Ui, which is impossible to switch back from update to 1.12.1: * Invalid names are allowed and "auto accepted" in folder root path on Windows * Sometimes indexes for some folders aren't sent after starting Syncthing * [Untrusted] Remove Unexpected Items leaves things behind * Wrong theme on selection * Quic spamming address resolving * Deleted locally changed items still shown as locally changed * Allow specifying remote expected web UI port which would generate a href somewhere * Ignore fsync errors when saving ignore files Update to 1.12.0 - The 1.12.0 release - adds a new config REST API. - The 1.11.0 release - adds the sendFullIndexOnUpgrade option to control whether all index data is resent when an upgrade is detected, equivalent to starting Syncthing with --reset-deltas. This (sendFullIndexOnUpgrade=true) used to be the behavior in previous versions, but is mainly useful as a troubleshooting step and causes high database churn. The new default is false. - Update to 1.10.0 - This release adds the config option announceLANAddresses to enable (the default) or disable announcing private (RFC1918) LAN IP addresses to global discovery. - Update to 1.9.0 - This release adds the advanced folder option caseSensitiveFS (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to disable the new safe handling of case insensitive filesystems. - Fix Leap build by requiring at least Go 1.14 - Prevent the build system to download Go modules which would require an internet connection during the build - Update to 1.8.0 - The 1.8.0 release - adds the experimental copyRangeMethod config on folders, for use on filesystems with copy-on-write support. Please see https://docs.syncthing.net/advanced/folder-copyrangemethod.html for details. - adds TCP hole punching, used to establish high performance TCP connections in certain NAT scenarios where only relay or QUIC connections could be used previously. - adds a configuration to file versioning for how often to run cleanup. This defaults to once an hour, but is configurable from very frequently to never. - The 1.7.0 release performs a database migration to optimize for clusters with many devices. - The 1.6.0 release performs a database schema migration, and adds the BlockPullOrder, DisableFsync and MaxConcurrentWrites folder options to the configuration schema. The LocalChangeDetected event no longer has the action set to added for new files, instead showing modified for all local file changes. - The 1.5.0 release changes the default location for the index database under some circumstances. Two new flags can also be used to affect the location of the configuration (-config) and database (-data) separately. The old -home flag is equivalent to setting both of these to the same directory. When no flags are given the following logic is used to determine the data location: If a database exists in the old default location, that location is still used. This means existing installations are not affected by this change. If $XDG_DATA_HOME is set, use $XDG_DATA_HOME/syncthing. If ~/.local/share/syncthing exists, use that location. Use the old default location. - Update to 1.4.2: - Bugfixes: - #6499: panic: nil pointer dereference in usage reporting - Other issues: - revert a change to the upgrade code that puts unnecessary load on the upgrade server - Update to 1.4.1: - Bugfixes: - #6289: "general SOCKS server failure" since syncthing 1.3.3 - #6365: Connection errors not shown in GUI - #6415: Loop in database migration "folder db index missing" after upgrade to v1.4.0 - #6422: "fatal error: runtime: out of memory" during database migration on QNAP NAS - Enhancements: - #5380: gui: Display folder/device name in modal - #5979: UNIX socket permission bits - #6384: Do auto upgrades early and synchronously on startup - Other issues: - #6249: Remove unnecessary RAM/CPU stats from GUI - Update to 1.4.0: - Important changes: - New config option maxConcurrentIncomingRequestKiB - Replace config option maxConcurrentScans with maxFolderConcurrency - Improve database schema - Bugfixes: - #4774: Doesn't react to Ctrl-C when run in a subshell with -no-restart (Linux) - #5952: panic: Should never get a deleted file as needed when we don't have it - #6281: Progress emitter uses 100% CPU - #6300: lib/ignore: panic: runtime error: index out of range [0] with length 0 - #6304: Syncing issues, database missing sequence entries - #6335: Crash or hard shutdown can case database inconsistency, out of sync - Enhancements: - #5786: Consider always running the monitor process - #5898: Database performance: reduce duplication - #5914: Limit folder concurrency to improve performance - #6302: Avoid thundering herd issue by global request limiter - Change the Go build requirement to a more flexible "golang(API) >= 1.12". This update was imported from the openSUSE:Leap:15.2:Update update project.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-713=1


Package List

- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): syncthing-1.15.1-bp152.2.3.1 syncthing-relaysrv-1.15.1-bp152.2.3.1


References

https://www.suse.com/security/cve/CVE-2021-21404.html https://bugzilla.suse.com/1184428


Severity
Announcement ID: openSUSE-SU-2021:0713-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP2 .

Related News

2.Motherboard Esm H320
2 - 3 min read
German software engineer Lennart Poettering recently presented run0 , a new tool in systemd v256 that aims to address the security concerns
22.Lock ScreenEffect Esm H320
2 - 3 min read
Red Hat recently released its newest enterprise Linux distro, Red Hat Enterprise Linux (RHEL) 9.4 , which introduces several features designed to
8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved