First, can I say thanks for syncthing, what a great piece of software!
I’ve got a question regarding the certificates generated by syncthing prior to version 0.12.4. With the news of the security bug in Go, is it recommended to regenerate any certificates created before 0.12.4 or is simply upgrading to the latest version enough to mitigate the security issue?
You should be fine using the newest version. See:
The Go team has announced an upcoming security release of Go (1.5.3) for this Wednesday. We don't know what it fixes, but it's possible it affects Syncthing. If it does, we'll release a new version built with 1.5.3 immediately. Those of you running the "official" releases with auto update will get it automatically. If you're running Syncthing distributed by a third party you'll need to check with them after confirming that an update is indeed necessary.
We'll announce here and on Twitter what …
Continuing the discussion from
Upcoming security release of Go:
I've just pushed and built Syncthing v0.12.14. This build is built with Go 1.5.3, except for the Windows which is built using Go 1.6beta2. Go 1.5.3 / 1.6beta2 fixes the security issue described here, but the relevant part is:
Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an…
Later versions are fine. Earlier versions are fine if you have newer certificates.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.