unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47627: syncthing package is vulnerable to CVE-2021-21404
@ 2021-04-06 22:40 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-06 22:51 ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-06 22:40 UTC (permalink / raw)
  To: 47627

[-- Attachment #1: Type: text/plain, Size: 924 bytes --]

CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing: 
https://issues.guix.gnu.org/45476

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-04-12  1:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-06 22:40 bug#47627: syncthing package is vulnerable to CVE-2021-21404 Léo Le Bouter via Bug reports for GNU Guix
2021-04-06 22:51 ` Leo Famulari
2021-04-09  0:01   ` Leo Famulari
2021-04-12  0:27     ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-12  1:54       ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).