v1.28.1

Security

Version 1.28.0 added a bug where block request messages to untrusted devices would include the hash of the plaintext block being requested. This isn’t recorded anywhere on the untrusted device by a stock Syncthing, but a potentially modified/illicit Syncthing instance could in principle record the plaintext hashes of encrypted data, thus being able to draw some conclusions about the data being stored.

Bugfixes

• #9400: Folder overlap not detected when using tilde
• #9590: WebUI table column widths broken on iPhone 12 Pro Max and wider
• #9686: Sync status stays at 'Syncing xx%" when remote device pauses the folder.
• #9757: Firefox, dark theme: device ID is hard to read
• #9775: Junctions as dirs doesn’t work anymore
• #9776: Disabled checkbox panels don’t respect dark theme
• #9783: gui: Address override not respected in fresh default config
• #9821: panic: runtime error: index out of range [-1]

Enhancements

• #9725: Ignoring symbolic links when syncing on android as well