Syncthing changelogs (2016)

changelogs for releases before 0.12.23 and earlier (before this bug happened) and for v0.13.x beta releases read here


This is a security release to fix three vulnerabilities all related to the possibility of the automatic upgrade response being intercepted by a man-in-the-middle. In one case, a downgrade could be enforced by the attacker; in another, a denial of service could be created by serving a malformed package archive; in the third, an XSS attack could be performed against the local web UI. These were all reported by Sebastian Py.

  • lib/upgrade: Enforce limits on download archives (fixes #3045) (@calmh)
  • lib/upgrade: Auto upgrade signature should cover version & arch (fixes #3044) (@calmh)
  • gui: Backport angular and angular-translate updates from master (@calmh)


Built with Go 1.6.1 to keep up with the day’s security advisories.


  • lib/model: Correct handling of multiple subs when scanning (#2851, @calmh)
  • lib/model: Properly handle deleting multiple files when doing scans with subs (#2851, @calmh)
  • Clarify GUI stuff (#2819, @AudriusButkevicius)
  • Increase contrast for readonly form controls in dark theme (#2820, @wweich)
  • gui: Improve layout of footer on narrow screens (#2663, @calmh)
  • lib/relay/client: Log relay client messages (#2624, @AudriusButkevicius)
  • gui: Better accessibility for folder & device panels (#2288, @wweich)


Compiler switched to Go 1.6.

  • Add priority,section and homepage to debian/control (Laurent Arnoud)
  • Fix description-contains-tabs and improve description (Laurent Arnoud)
  • gui: add a lock icon to the folder title for easy overview (fixes #2703) (@kralo)
  • gui: add html tooltips (title) to the folder path and syncthing version elements (fixes #2758) (@kralo)
  • systemd: Add syncthing-resume.service (@rumpelsepp)
  • Only test with -race on supported platforms (fixes #2765) (@calmh)


  • Return “No such object in the index” when /rest/db/file gets called on something that doesn’t exist (@calmh)
  • Swap the corsMiddleware and the csrfMiddleware to the unauthenticated OPTIONS requests are first processed. (@letiemble)
  • Report versioning usage in usage report (@calmh)


only the boss knows the whole story


maybe some day you will too


know what is


the meaning


of life


after all the answer still remains 42


  • Update kardianos/osext (#2650, @calmh)
  • Change default max conflicts to 10 (#2604, @calmh)
  • Don’t conflict copy conflict copies (#2605, @calmh)
  • Don’t allow in use CSRF tokens to expire (#1008, @calmh)
  • Add relaying to main settings dialog (#2433, @calmh)
  • Don’t resolve destination address until we need to (#2671, @calmh)
  • More fine grained locking in discovery cache (#2667, @calmh)
  • Added STNODEFAULTFOLDER envvar to skip default folder creation on new install (#1515, @nrm21)


  • Remove windows specialisation from osutil.GetLans (#2192, @AudriusButkevicius)
  • Ensure loaded config is free of duplicate devices (#2627, @calmh)
  • Show device ID QR code from edit dialog (#1494, @ironmig)
  • Don’t warn about failed ignores if folder unhealthy (#2630, @AudriusButkevicius)
  • Detect nonstandard hash algo and stop folder (#2314, @calmh)
  • Also build linux-arm64, linux-ppc64, linux-ppc64le (@calmh)
  • Disallow adding duplicate device ID in GUI (@ironmig)

earlier releases

If you read until here, you are missing something, it’s called latest release! So don’t be silly and protect your will… erm… Syncthing installation :blush: