CVE-2021-21404: Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3a39dc0c31ae1bb493766e48a0ca9e39ed9f05d commit d3a39dc0c31ae1bb493766e48a0ca9e39ed9f05d Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-04-07 08:02:15 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-04-07 08:08:23 +0000 net-p2p/syncthing: bump to 1.15.1 Addresses CVE-2021-21404. Bug: https://bugs.gentoo.org/780678 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-p2p/syncthing/Manifest | 30 ++ net-p2p/syncthing/syncthing-1.15.1.ebuild | 781 ++++++++++++++++++++++++++++++ 2 files changed, 811 insertions(+)
ppc64 done
x86 done
arm done
arm64 done
amd64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d36439b60ace1b6e526717543e33e8475a94f64 commit 6d36439b60ace1b6e526717543e33e8475a94f64 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-04-12 16:58:17 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-04-12 16:58:57 +0000 net-p2p/syncthing: remove versions vulnerable to CVE-2021-21404 Bug: https://bugs.gentoo.org/780678 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-p2p/syncthing/Manifest | 46 -- net-p2p/syncthing/syncthing-1.13.1.ebuild | 797 ------------------------------ 2 files changed, 843 deletions(-)
Thanks!
Package list is empty or all packages have requested keywords.
Shouldn't we close this, or something?
(In reply to Marek Szuba from comment #16) > Shouldn't we close this, or something? Yes, once a GLSA is released.
it's been two years, can this be closed?
(In reply to gentoo-setan from comment #18) > it's been two years, can this be closed? A decision on a GLSA still needs to be made. We have a backlog here and work our way down through the priorities.