Syncthing v0.12.23 - security update

We just released Syncthing v0.12.23. This is a security release to fix three vulnerabilities all related to the possibility of the automatic upgrade response being intercepted by a man-in-the-middle. In one case, a downgrade could be enforced by the attacker; in another, a denial of service could be created by serving a malformed package archive; in the third, an XSS attack could be performed against the local web UI. These were all reported by Sebastian Py.

In neither case could the upgrade mechanism result in non-Syncthing code being downloaded and executed. To be vulnerable to these issues you would need to already have a man-in-the-middle intercepting and rewriting all your traffic.

Upgrade automatically as usual (and double check you actually got v0.12.23 after doing so ;)), or use your package manager to upgrade.

If you’re running a Syncthing without auto upgrade functionality (such as our Debian packages or most other distribution-created packages) then you are not vulnerable to this issue.