Security Notice for v0.14.34


(Jakob Borg) #1

Please be aware that v0.14.34 will be a security release. That is, it fixes a vulnerability present in all previous versions, including v0.14.34-rc.1. This is an exception to the normal release candidate process in that we’re adding a last patch on top of rc.1 before the final release.

The vulnerability lets a malicious user on a trusted device (or, an attacker that has compromised an otherwise trusted device) overwrite any file that Syncthing can access, in some configurations. This easily becomes remote execution.

Windows is mostly not vulnerable, although the fix applies there as well to bring “mostly not” to “really not”. There is however one caveat that may require manual fixup - stay tuned for details tomorrow at the time of release.

Otherwise, if you’re not doing automatic upgrades, this may be one you want to do manually.


(Jakob Borg) #2

(Adam Piggott) #3

Anyone still unning Syncthing as root or SYSTEM should take this as a good reason to fix their configurations :slight_smile:


(Jakob Borg) #4

Mmmhm.


(Jakob Borg) #5

Please see the note about some Windows installations (you use symlinks and versioning) requiring manual cleanup:


(Jakob Borg) #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.