Security update for syncthing SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0109-1 Final 1 1 2018-01-15T14:42:19Z current 2018-01-15T14:42:19Z 2018-01-15T14:42:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for syncthing This update for syncthing brings a new version and fixes the following issues: - Update to version 0.14.42: * Discovering new files in a deleted directory does not resurrect the directory (gh#syncthing/syncthing#4475). * 'Panic: interface conversion: *errors.errorString is not net.Error' after restart (gh#syncthing/syncthing#4561). * Auto-accept shared directories from trusted devices (gh#syncthing/syncthing#2299). * Empty directories in .stversions should be removed (gh#syncthing/syncthing#4406). * Human readable errors on attempted deletion of a non-empty directory (gh#syncthing/syncthing#4476). * Add confirmation on the Remove Folder / Device button (gh#syncthing/syncthing#4543). - Update to version 0.14.41: * Devices with ignored files stay 'synchronising' forever (gh#syncthing/syncthing#623). * No Global Discovery without Synch Protocol Listen Address (gh#syncthing/syncthing#4418). * Local network classification doesn't always work (gh#syncthing/syncthing#4421). * Hashed GUI password should not be rehashed (gh#syncthing/syncthing#4458). * Pulls not triggered correctly on reconnection (gh#syncthing/syncthing#4504). * A symlink/file replacement doesn't work properly (gh#syncthing/syncthing#4505). * File/directory replacement doesn't work properly (gh#syncthing/syncthing#4506). * Logging at info level and above should always include context (gh#syncthing/syncthing#4510). * Panic in 'pfilter' package on 32 bit architectures (gh#syncthing/syncthing#4537). * Allow synchronising read-only directories as 'Master Directories' (gh#syncthing/syncthing#1126). * 'Global Changes' button is confusing, retitle to 'Recent Changes' (gh#syncthing/syncthing#4326). * Dial device addresses in parallel (gh#syncthing/syncthing#4456). * Avoid lots and lots of announced addresses in the presence of symmetric NAT (gh#syncthing/syncthing#4519). * Split transport usage reporting per stack (gh#syncthing/syncthing#4463). - Update to version 0.14.40: - Report more data part of the anonymous usage report (gh#syncthing/syncthing#3628) - Better report synchronisation errors (gh#syncthing/syncthing#4392). - Removing paused directories no longer causes a panic (gh#syncthing/syncthing#4405). - Make local IPv4 discovery more resilient against write failures (gh#syncthing/syncthing#4414). - Clearer logging around config failures at startup (gh#syncthing/syncthing#4431). - Do not complain about inability to fsync files (gh#syncthing/syncthing#4432). - Improve KCP connections (gh#syncthing/syncthing#4446). - Improve directory health checking (gh#syncthing/syncthing#4451). - Include built-in support for file system notifications, although it is disabled by default. - Enable by default the UDP based 'KCP' protocol. - Update to version 0.14.39: * Removing paused directories no longer triggers a crash (gh#syncthing/syncthing#4357). * Add further security related HTTP headers (gh#syncthing/syncthing#4360). * Improve info level logging in some cases (gh#syncthing/syncthing#4375). * Improve GUI tooltips in chromium based browsers (gh#syncthing/syncthing#4377). * Add -device-id command line switch (gh#syncthing/syncthing#4387). * Failure to upgrade directory markers from file to directory type is no longer fatal. - Update to version 0.14.38: * KCP connections are now more stable (gh#syncthing/syncthing#4063, gh#syncthing/syncthing#4343) * Hashing benchmarks are skipped if a manual selection has been forced (gh#syncthing/syncthing#4348). * Relay server RAM usage has been reduced (gh#syncthing/syncthing#4245). - Update to version 0.14.37 (changes since 0.14.32): * Relative version paths are now correctly relative to the directory path (gh#syncthing/syncthing#4188). * Remote devices now show bytes remaining to synchronise (gh#syncthing/syncthing#4227). * Editing ignore patterns no longer incorrectly shows included patterns (gh#syncthing/syncthing#4249). * The new directory dialogue now suggests a default path. Adjustable via advanced config defaultFolderPath (gh#syncthing/syncthing#2157). * The build script no longer sets -installsuffix by default (gh#syncthing/syncthing#4272). * Prevent a vulnerability that allows file overwrite via versioned symlinks (CVE-2017-1000420, boo#1074428, gh#syncthing/syncthing#4286). * Symlinks are deleted from versioned directories on startup (gh#syncthing/syncthing#4288). * Directory paths are no longer reset when editing a directory without a label (gh#syncthing/syncthing#4297). * Better detect synchronisation conflicts that happen while synchronising (gh#syncthing/syncthing#3742, gh#syncthing/syncthing#4305). * Fix a crash related to a nil reference in ignore handling (gh#syncthing/syncthing#4300). - Stop requiring golang.org/x/net/context. - Update to version 0.14.32: * 'Nearby devices' are now shown in the add device dialogue, avoiding the need to type their device ID (gh#syncthing/syncthing#4157). * Directories that were once ignored in a sharing request now actually work properly when later added manually (gh#syncthing/syncthing#4219). - Update to version 0.14.31 (changes since 0.14.29): * Correctly clear warning 'path is a subdirectory of other folder' in directory dialogue (gh#syncthing/syncthing#3433). * Conflict copies filename now includes the ID of the last device to change the file (gh#syncthing/syncthing#3524). * Directories offered by other devices can now be ignored (gh#syncthing/syncthing#3993). * Changed device name takes effect with restart; device name is not sent to unknown devices (gh#syncthing/syncthing#4164). * Correctly show CPU usage when started with -no-restart option (gh#syncthing/syncthing#4183). * Icons and directory information in local device summary is consistent with that in directories (gh#syncthing/syncthing#4100). * Fix a data race in KCP & STUN (gh#syncthing/syncthing#4177). * Ignore patterns on newly accepted directories are no longer erroneously inherited from an earlier added directory (gh#syncthing/syncthing#4203). - Update to version 0.14.29: * The layout of the global changes dialogue is improved (gh#syncthing/syncthing#3895). * Running as root or SYSTEM now triggers a warning recommending against it (gh#syncthing/syncthing#4123). * Changing the theme no longer causes an HTTP error (gh#syncthing/syncthing#4127). - Update to version 0.14.28: * It is now possible to create custom event subscriptions via the REST API (gh#syncthing/syncthing#1879). * Removing large directories now uses less memory (gh#syncthing/syncthing#2250). * The minimum disc space (per directory and for the home drive) can now be set to an absolute value (gh#syncthing/syncthing#3307). * Pausing or reconfiguring a directory will no longer start extra scans. Pausing a directory stops scanning (gh#syncthing/syncthing#3965). * Ignore patterns can now be set at directory creation time, and for paused directories (gh#syncthing/syncthing#3996). * It is no longer possible to configure the GUI/API to listen on a privileged port using the standard settings dialogue (gh#syncthing/syncthing#4020). * The device allowed subnet list can now include negative ('!') entries to disallow subnets (gh#syncthing/syncthing#4096). * Doing 'Override changes' now uses less memory (gh#syncthing/syncthing#4112). - Require golang.org/x/net/context on openSUSE older than openSUSE Leap 15.x. - Update to version 0.14.27: * Devices can now have a list of allowed subnets (advanced config) (gh#syncthing/syncthing#219). * The transfer rate units can now be changed by clicking on the value (gh#syncthing/syncthing#234). * UI text explaining 'Introducer' is improved (gh#syncthing/syncthing#1819). * Advanced config editor can now edit lists of things (gh#syncthing/syncthing#2267). * Directories created for new directories now obey the user umask setting (gh#syncthing/syncthing#2519). * Incoming index updates are consistency checked better (gh#syncthing/syncthing#4053). - Update to version 0.14.26: * Discovery errors are more clearly displayed in the GUI (gh#syncthing/syncthing#2344). * The language dropdown menu in the GUI is now correctly sorted (gh#syncthing/syncthing#3913). * When there are items that could not be synced, their full path is displayed in the GUI. - Update to version 0.14.25: * Improve 'Pause All'/'Resume All' icons (gh#syncthing/syncthing#4003). * There are now mips and mipsle builds by default (gh#syncthing/syncthing#3959). * The 'overwriting protected files' warning now correctly handles relative paths to the config directory (gh#syncthing/syncthing#3183). * The experimental KCP protocol for transfers over UDP has been merged, although it's not currently enabled by default (gh#syncthing/syncthing#804). - Update to version 0.14.24: * lib/sync: Fix a race in unlocker logging (gh#syncthing/syncthing#3884). * Make links and log messages refer to https instead of http where possible (gh#syncthing/syncthing#3976). * The default number of parallel file processing routines per directory is now two (previously one), and the number of simultaneously outstanding network requests has been increased. * The UI now contains buttons to pause or resume all directories with a single action. - Update to version 0.14.23 (changes since 0.14.21): * Leading and trailing spaces are no longer stripped in the GUI password field (gh#syncthing/syncthing#3935) * The GUI shows remaining amount of data to sync per directory (gh#syncthing/syncthing#3908). * There should no longer be empty entries in the global log (gh#syncthing/syncthing#3933). * Weak hashing is now by default only enabled when it makes sense from a performance point of view (gh#syncthing/syncthing#3938). - Update to version 0.14.21 (changes since 0.14.19): * There is now a warning when adding a directory that is a parent of an existing directory (gh#syncthing/syncthing#3197). * Using -logfile flag together with -no-restart now causes an error instead of silently failing (gh#syncthing/syncthing#3912). * Weak hashing is now disabled completely when the threshold percentage is > 100 (gh#syncthing/syncthing#3891). * Rate limiting now actually works on ARM64 builds again (gh#syncthing/syncthing#3921). * Fix an issue where UPnP port allocations would be incorrect under some circumstances (gh#syncthing/syncthing#3924). * Weak hashing is a bit faster and allocates less memory. * The hashing performance reported at startup now includes weak hashing. * The GUI 'network error' dialogue no longer shows up as easily in some scenarios when using Syncthing behind a reverse proxy. - Update to version 0.14.19: * Changing bandwidth rate limits now takes effect immediately without restart (gh#syncthing/syncthing#3846) * The event log (-audit) can now be directed to stderr for piping into an another application (gh#syncthing/syncthing#3859). * A panic on directory listing at startup has been fixed (gh#syncthing/syncthing#3584). * When a directory is deleted, the .stfolder marker is also removed. The ignore file and .stversions directory are retained, if present (gh#syncthing/syncthing#3857). * Several scenarios where a device would get stuck with 'not a directory' errors are now handled again (gh#syncthing/syncthing#3819). * Third party copyrights in the about box are now more up to date (gh#syncthing/syncthing#3839). * Hashing performance has been improved (gh#syncthing/syncthing#3861) - Update to version 0.14.18: * Fix connections to older Syncthing versions being no longer closed due to an unmarshalling message: 'proto: wrong wireType = 2 for field BlockIndexes' (gh#syncthing/syncthing#3855). - Update to version 0.14.17: * Panics caused by corrupt on disc database are now better explained in the panic message (gh#syncthing/syncthing#3689). * Statically configured device addresses without port number now correctly defaulted to port 22000 again (gh#syncthing/syncthing#3817). * Inotify clients no longer cause 'invalid subpath' errors to be displayed (gh#syncthing/syncthing#3829). * Directories can now be paused (gh#syncthing/syncthing#215). * 'Master' directories are now called 'send only' in order to standardise on a terminology of sending and receiving changes (gh#syncthing/syncthing#2679). * Pausing devices and directories now persists across restarts (gh#syncthing/syncthing#3407). * A rolling checksum is used to identify and reuse blocks that have moved within a file (gh#syncthing/syncthing#3527). * Syncthing allows setting the type-of-service field on outgoing packets, configured by the advanced setting 'trafficClass' (gh#syncthing/syncthing#3790). * Which device introduced another device is now visible in the GUI (gh#syncthing/syncthing#3809). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-01/msg00046.html E-Mail link for openSUSE-SU-2018:0109-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 syncthing-0.14.42-3.1 syncthing-0.14.42-3.1 as a component of openSUSE Leap 42.2 syncthing-0.14.42-3.1 as a component of openSUSE Leap 42.3 Syncthing version 0.14.33 and older is vulnerable to symlink traversal resulting in arbitrary file overwrite CVE-2017-1000420 openSUSE Leap 42.2:syncthing-0.14.42-3.1 openSUSE Leap 42.3:syncthing-0.14.42-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-01/msg00046.html https://www.suse.com/security/cve/CVE-2017-1000420.html CVE-2017-1000420 https://bugzilla.suse.com/1074428 SUSE Bug 1074428