Syncthing v0.14.14


This is a security release recommended for all users. You should upgrade.

Two distinct security vulnerabilities have been corrected in this release. Either would let a remote attacker, controlling a device that is already accepted by Syncthing, perform arbitrary reads and writes to files outside the configured folders.

The first issue is that path validation was lacking in several places, resulting in Syncthing accepting index entries for files like “…/…/foo”, thus resulting in a path above the configured folder.

The second issue is that where path validation was correct, symlinks could be used to trick Syncthing. An attacker could create a symlink “foo -> …/…/” and then request the contents of “foo/something”, again escaping the constraints of the folder.

Syncing symlinks between v0.14.14 and previous versions will not work.

This is due to the fix to the above issue. Normal files and directories will sync fine. To continue syncing symlinks, both sides must be upgraded to v0.14.14.

Further resolved issues:

  • #3753: The build no longer requires Go 1.7.
  • #3769: The wording in the GUI around “last file received” is now clearer.
1 Like

We should mention that symlink handling has been broken between this and any previous releases

1 Like

Thanks, I forgot. Added.

2 posts were split to a new topic: Missing strings in Transifex