openSUSE Security Update: Security update for syncthing ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0054-1 Rating: moderate References: Cross-References: CVE-2023-49295 CVSS scores: CVE-2023-49295 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for syncthing fixes the following issues: Update to 1.27.3 * Bugfixes: #9039: Sync from Linux to Mac with ownership - Local additions after rescan #9241: Versions path does not honor tilde (~) shortcut * Enhancements: #8616: Add CLI completion #9151: Add "stay logged in" checkbox to login dialog * Other issues: #9267: Inconsistent version requirements in lib/build and lib/upgrade #9313: Different lengths used for short device IDs in UI - Make syncthing-relaysrv package resolvable by using systemd users to create the required user and group Update to 1.27.2 * Bugfixes: #9041: cli subcommand does not use STHOMEDIR env var #9183: Filesystem watching (kqueue) is enabled … with a lot of files #9274: Missing lock in DeviceStatistics ("fatal error: concurrent map read and map write") * Enhancements: #7406: Add UPnP support for IPv6 * Other Issues: #9247: Embed binary releases signing key as a file instead of hardcoding a string #9287: quic-go v0.40.1 (CVE-2023-49295) Update to 1.27.1 * Bugfixes: #9253: Permission error on folder causes "connection error" dialog when opening folder editor #9269: panic: nil pointer dereference in (*indexHandlerRegistry).startLocked * Other issues: #9274: Missing lock in DeviceStatistics ("fatal error: concurrent map read and map write") Update to 1.27.0 * Bugfixes: #9179: spurious log file in $XDG_CONFIG_HOME #9189: Discovery Returns IP #9208: Display error in 1.26 with login screen * Enhancements: #9178: Default config (state) dir on Unixes should be ~/.local/state/syncthing ($XDG_STATE_HOME/syncthing) #9200: Login form: login button should have an id attribute Update to 1.26.1 * Bugfixes: #9208: Display error in 1.26 with login screen Update to 1.26.0 * Bugfixes: #9072: Omitting %s from LDAP search filter results in corrupt search filter #9106: Posting config with invalid versioner type causes panic #9120: Deduplicated files on Windows aren't treated as regular files any more (Go 1.21) #9133: Syncthing Docker container fails to start if underlying filesystem doesn't support chown #9143: traefik no longer url escape X-Forwarded-Tls-Client-Cert header #9149: Favicon is stuck in notify state * Enhancements: #4137: Use a real login screen + sessions instead of HTTP basic auth Update to 1.25.0 * Bugfixes: #8274: Usage report transport type is wrong for QUIC #8482: Discovery server keeps duplicate entries #9019: Web GUI loses config changes when doing multiple modifications (e.g. on slow hardware or remotely) #9112: panic: counter cannot decrease in value #9123: Hashed passwords via API are hashed again * Enhancements: #141: Use multiple simultaneous TCP connections #5607: Move footer links to header Update to 1.24.0 * Bugfixes: #8965: v1.23.6 introduces untrusted sharing regression * Enhancements: #5175: Record more performance metrics #7456: Announce IPv6 ULA #7973: Restore versions file filter should be case insensitive #8767: Check interface for FlagRunning * Other issues: #9021: panic: bug: ClusterConfig called on closed or nonexistent connection #9034: Build with Go 1.21 out of the box Update to 1.13.7 * Bugfixes: #6597: setLowPriority should not increase process priority when already lower (in Windows) #7698: ursrv: unrealistic uptime data, likely due to unset RTC (1970-01-01) #8958: Extended attribute filter editor should be enabled when "send extended attributes" is checked #8967: Shared With list ends with comma on 1 device #9001: relaysrv crash after some weeks of operation * Enhancements: #8890: Do not autoexpand tilde sign (~) to an absolute home directory path #8957: Add environment variables for --home, --conf, and --data #8968: Error for Windows invalid file names should indicate the invalid character or name part * Other issues: #8973: 1.23.6 docker image no longer available for linux/arm/v7 #8983: Integrate govulncheck Update to 1.13.6 * Bugfixes: #7638: favicon not working Firefox & derivative browsers #8899: Omitting %s from LDAP bind DN sends corrupted bind DN string to LDAP server #8920: Untrusted device should be disallowed from being an introducer #8960: relaysrv and discosrv docker images haven't been updated for more than year Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2024-54=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): syncthing-1.27.3-bp155.2.6.1 syncthing-relaysrv-1.27.3-bp155.2.6.1 References: https://www.suse.com/security/cve/CVE-2023-49295.html