Syncthing v0.13.2 and v0.12.25 released

These are security releases and recommended for everyone. The auto upgrade should already have upgraded you if that is enabled, otherwise please do the needful to get the latest version using your chosen method.

Can you clarify when this vulnerability was introduced?

Also, am I right to assume that it’s still present in syncthing-android, SyncTrazor, and any other platform-specific wrappers?

A long time ago, probably on the order of v0.11 or thereabouts - I’m currently on mobile so unsure.

The android wrapper sets up authentication by default so is not affected by this, I think. The other wrappers are neither vulnerable nor invulnerable - the problem is in the core syncthing module that they use. When syncthing upgrades, or is upgraded by the wrapper, you’re fine.

If you have authentication enabled on the GUI you’re also fine, regardless of version.

Yeah we always set user/password automatically on Android before Syncthing is started for the first time.

2 Likes

This topic was automatically closed after 7 days. New replies are no longer allowed.