Your message dated Thu, 15 Jul 2021 16:20:54 +0000
with message-id <[email protected]>
and subject line Bug#986593: fixed in syncthing 1.12.1~ds1-3
has caused the Debian Bug report #986593,
regarding syncthing: CVE-2021-21404
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
986593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986593
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: syncthing
Version: 1.12.1~ds1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for syncthing.
CVE-2021-21404[0]:
| Syncthing is a continuous file synchronization program. In Syncthing
| before version 1.15.0, the relay server `strelaysrv` can be caused to
| crash and exit by sending a relay message with a negative length
| field. Similarly, Syncthing itself can crash for the same reason if
| given a malformed message from a malicious relay server when
| attempting to join the relay. Relay joins are essentially random (from
| a subset of low latency relays) and Syncthing will by default restart
| when crashing, at which point it's likely to pick another non-
| malicious relay. This flaw is fixed in version 1.15.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21404
[1]
https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
[2]
https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: syncthing
Source-Version: 1.12.1~ds1-3
Done: Alexandre Viau <[email protected]>
We believe that the bug you reported is fixed in the latest version of
syncthing, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexandre Viau <[email protected]> (supplier of updated syncthing package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 15 Jul 2021 11:47:47 -0400
Source: syncthing
Architecture: source
Version: 1.12.1~ds1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team
<[email protected]>
Changed-By: Alexandre Viau <[email protected]>
Closes: 983667 983668 983669 983670 986593
Changes:
syncthing (1.12.1~ds1-3) unstable; urgency=medium
.
[ Alexandre Viau]
* Refresh patches.
.
[ Simon Frei ]
* Patch CVE-2021-21404 (Closes: #986593).
* Fix possible incorrect remote sync (Closes: #983667).
* Fix dead-lock in index-sender (Closes: #983668).
* Fix mismatching index-ids (Closes: #983669).
* Fix connection taking too long to cose (Closes: 983670).
Checksums-Sha1:
e6bdc62f07ba6dc70289f1728e5f39873f76db00 3682 syncthing_1.12.1~ds1-3.dsc
3daf82b42b19a833dd49e8d6c76c9e6902000d05 32368
syncthing_1.12.1~ds1-3.debian.tar.xz
ad3d00bceea14b82b7f4bcb464042c13b492f0cb 6496
syncthing_1.12.1~ds1-3_source.buildinfo
Checksums-Sha256:
e39d22fa16a225189ff24f93ff7e76c79b9ca5558d055f9f10818e0e054b3a2f 3682
syncthing_1.12.1~ds1-3.dsc
44aa2ea8ed72b7cd2975c7a57b5dd5270914b02bb3d32823916a74060ca00b02 32368
syncthing_1.12.1~ds1-3.debian.tar.xz
907c3810931c13137447dde6a9984787ca74ebcb539d599a944e3ac66878411e 6496
syncthing_1.12.1~ds1-3_source.buildinfo
Files:
a7ee7681dae678e5b12ec4608dd67450 3682 utils optional syncthing_1.12.1~ds1-3.dsc
2d1408e4927db169cba44fa266b8f86d 32368 utils optional
syncthing_1.12.1~ds1-3.debian.tar.xz
6cf84c93c41863e51f18eb1ced449d59 6496 utils optional
syncthing_1.12.1~ds1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEB0B3ii38SjnAyLyMjysRPGU1xacFAmDwXF0ACgkQjysRPGU1
xacxMw/6AqJNtt4uRq+TlX7siFizvNx+zfGnj46sDjSSI+2l39PWA9pT38a1Nai1
UshXUqCFWAhsRmHyVzaqqyETOqPutLNWK+Q4XOiVj8JHoxVLoqNF2YhgZbb/H3vQ
F2gpXs3A1Qq9X9T0hbB+1StMZVucuyJwTEzDy7ykE8iXdFFINZxnY01PzZYLvpM1
cont2auXJSEcmBn/4EKJk+HOJtEonMJRJchc/MROK3mVfjN4RQh4R7zVF1x5zweY
84aEJ6Z8xKuGElAoZeyISmJhLaAONEe47SdzJD99/bwwcjpS3w+dvF5M4wOZ4JO2
6LE0S7kEV7tThFcokNEvWaS4JJjGFiaAJ9e+ydGkbEbLV8qz96h9bgr7Lp5IkqUm
918dvch2Q2HOeKagjdHtQPmAZo85mHEwI60CyvwpWA7gJUyYmIw95u8Yat6khfeI
dErFizYuejjcNCNvpNsMws+SGZt/sM0q8nWFv7VtxBA9oyKtev2fU60F327co0Gy
CSITSDZhP/2mK5qL4NmuBUcsPJA1PMjVLU9MeLkDW7RBo2mK0cBvsniIODeCbr18
IT9catZvCL4egKHkbGwc4apdNP6NYkI8MddVAgdiBh0YMY4SB+Bg6nLHTk/s3+bm
FTlqYTtGC/wgWuVZ0UqoN1WRDrNCXrKiVmO80kjXD3erWXzgH9E=
=ufdK
-----END PGP SIGNATURE-----
--- End Message ---
