On Tue, 20 Jul 2021 11:28:12 +0200 Pierre Bernhardt <pie...@starcumulus.owl.de> wrote:
Package: syncthing-relaysrv Version: <1.15.0 Severity: normal Tags: newcomerDear Maintainer, This is a copy of the text from CVE-2021-21404 because I cannot see that the problem is allready fixed in downstream versions: Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non- malicious relay. This flaw is fixed in version 1.15.0. It is not installed on my system but of relevant security issue it should be fixed on all versions.
Hello, It looks like it has already been dealt with? https://security-tracker.debian.org/tracker/CVE-2021-21404 https://bugs.debian.org/986593 It hasn't been fixed in {old}oldstable tho (because DSA has classified the bug has minor issue) Cheers, -- Aloïs Micard <creekor...@debian.org> GPG: DA4A A436 9BFA E299 67CD E85B F733 E871 0859 FCD2
OpenPGP_signature
Description: OpenPGP digital signature