changelogs for releases before 0.12.23 and earlier (before this bug happened) and for v0.13.x beta releases read here
This is a security release to fix three vulnerabilities all related to the possibility of the automatic upgrade response being intercepted by a man-in-the-middle. In one case, a downgrade could be enforced by the attacker; in another, a denial of service could be created by serving a malformed package archive; in the third, an XSS attack could be performed against the local web UI. These were all reported by Sebastian Py.
- lib/upgrade: Enforce limits on download archives (fixes #3045) (@calmh)
- lib/upgrade: Auto upgrade signature should cover version & arch (fixes #3044) (@calmh)
- gui: Backport angular and angular-translate updates from master (@calmh)
Built with Go 1.6.1 to keep up with the day’s security advisories.
- cmd/syncthing: Skip a calculation if timediff is zero (#2854, @AudriusButkevicius)
- lib/model: Correct handling of multiple subs when scanning (#2851, @calmh)
- lib/model: Properly handle deleting multiple files when doing scans with subs (#2851, @calmh)
- Clarify GUI stuff (#2819, @AudriusButkevicius)
- Increase contrast for readonly form controls in dark theme (#2820, @wweich)
- gui: Improve layout of footer on narrow screens (#2663, @calmh)
- lib/relay/client: Log relay client messages (#2624, @AudriusButkevicius)
- gui: Better accessibility for folder & device panels (#2288, @wweich)
Compiler switched to Go 1.6.
- Add priority,section and homepage to debian/control (Laurent Arnoud)
- Fix description-contains-tabs and improve description (Laurent Arnoud)
- gui: add a lock icon to the folder title for easy overview (fixes #2703) (@kralo)
- gui: add html tooltips (title) to the folder path and syncthing version elements (fixes #2758) (@kralo)
- systemd: Add syncthing-resume.service (@rumpelsepp)
- Only test with -race on supported platforms (fixes #2765) (@calmh)
- Return “No such object in the index” when /rest/db/file gets called on something that doesn’t exist (@calmh)
- Swap the corsMiddleware and the csrfMiddleware to the unauthenticated OPTIONS requests are first processed. (@letiemble)
- Report versioning usage in usage report (@calmh)
only the boss knows the whole story
maybe some day you will too
know what is
the meaning
of life
after all the answer still remains 42
- Update kardianos/osext (#2650, @calmh)
- Change default max conflicts to 10 (#2604, @calmh)
- Don’t conflict copy conflict copies (#2605, @calmh)
- Don’t allow in use CSRF tokens to expire (#1008, @calmh)
- Add relaying to main settings dialog (#2433, @calmh)
- Don’t resolve destination address until we need to (#2671, @calmh)
- More fine grained locking in discovery cache (#2667, @calmh)
- Added STNODEFAULTFOLDER envvar to skip default folder creation on new install (#1515, @nrm21)
- Remove windows specialisation from osutil.GetLans (#2192, @AudriusButkevicius)
- Ensure loaded config is free of duplicate devices (#2627, @calmh)
- Show device ID QR code from edit dialog (#1494, @ironmig)
- Don’t warn about failed ignores if folder unhealthy (#2630, @AudriusButkevicius)
- Detect nonstandard hash algo and stop folder (#2314, @calmh)
- Also build linux-arm64, linux-ppc64, linux-ppc64le (@calmh)
- Disallow adding duplicate device ID in GUI (@ironmig)
earlier releases
If you read until here, you are missing something, it’s called latest release!
So don’t be silly and protect your will… erm… Syncthing installation 