openSUSE Security Update: Security update for syncthing ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0126-1 Rating: moderate References: #1212085 Cross-References: CVE-2022-46165 CVSS scores: CVE-2022-46165 (NVD) : 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2022-46165 (SUSE): 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for syncthing fixes the following issues: - Update to 1.13.5 * This release fixes CVE-2022-46165 ���Cross-site Scripting (XSS) in Web GUI��� * Bugfixes: #8503: "syncthing cli config devices add" reflect error when using --addresses flag #8764: Ignore patterns creating during folder addition are not loaded #8778: Tests fail on Windows with Go 1.20 #8779: Test cleanup fails all model tests on Windows on Go 1.20 #8859: Incorrect handling of path for auto accepted folder * Other issues: #8799: "fatal error: checkptr: converted pointer straddles multiple allocations" in crypto tests - Update to 1.23.4 - Bugfixes: #8851: "Running global migration to fix encryption file sizes" on every start - Update to 1.23.3 * Bugfixes: #5408: Selection of time in versions GUI not possible without editing the string inside the textfield #8277: Mutual encrypted sharing doesn't work (both sides with password) #8556: Increased file size when sharing between encrypted devices #8599: Key generation at connect time is slow for encrypted connections * Enhancements: #7859: Allow sub-second watcher delay (use case: remote development) * Other issues: #8828: cmd/stdiscosrv: TestDatabaseGetSet flake - Adding a desktop file for the Web UI - Update to 1.23.2 * Bugfixes: #8749: Relay listener does not restart sometimes * Enhancements: #8660: GUI editor for xattr filter patterns #8781: gui: Remove duplicate Spanish translation * Other issues: #8768: Update quic-go for Go 1.20 Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-126=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): syncthing-1.23.5-bp155.2.3.1 syncthing-relaysrv-1.23.5-bp155.2.3.1 References: https://www.suse.com/security/cve/CVE-2022-46165.html https://bugzilla.suse.com/1212085