Go 1.13.3 and TLS parsing vulnerability

There is a new version of Go out, 1.13.3, which fixes an issue that affects Syncthing (and everything else Go that speaks TLS): #34960: crypto/dsa: invalid public key causes panic in dsa.Verify.

I consider this medium-to-low severity for Syncthing, as it’s a targeted DoS with no data leakage or remote execution or other nastiness. If someone hates you and knows your device ID they can crash your Syncthing. As such I’m not going to panic, but the next release Syncthing 1.3.1 in a couple of weeks will of course be compiled with the new version and I am releasing a Syncthing 1.3.1-rc.2 today with the new build, otherwise identical to 1.3.1-rc.1. (That’s good practice anyway to make sure the release matches the RC.) If you’re worried enough about this to want to upgrade you can either compile yourself or use the RC.

It is slightly more urgent for the discovery servers, at least for large / public such. Ours are already upgraded. The official, upgraded release version will be stdiscosrv 1.3.2 because there was some other crap needing fixing that I discovered while upgrading ours. In the meantime if you want this fixed you can either compile yourself or use the current development build. That is what we’re running currently.

The relay server code hasn’t changed in a while and I’m releasing a new version strelaysrv 1.3.0 today with the fix.

4 Likes