Please be aware that v0.14.34 will be a security release. That is, it fixes a vulnerability present in all previous versions, including v0.14.34-rc.1. This is an exception to the normal release candidate process in that we’re adding a last patch on top of rc.1 before the final release.
The vulnerability lets a malicious user on a trusted device (or, an attacker that has compromised an otherwise trusted device) overwrite any file that Syncthing can access, in some configurations. This easily becomes remote execution.
Windows is mostly not vulnerable, although the fix applies there as well to bring “mostly not” to “really not”. There is however one caveat that may require manual fixup - stay tuned for details tomorrow at the time of release.
Otherwise, if you’re not doing automatic upgrades, this may be one you want to do manually.
