Upcoming security release of Go

The Go team has announced an upcoming security release of Go (1.5.3) for this Wednesday. We don’t know what it fixes, but it’s possible it affects Syncthing. If it does, we’ll release a new version built with 1.5.3 immediately. Those of you running the “official” releases with auto update will get it automatically. If you’re running Syncthing distributed by a third party you’ll need to check with them after confirming that an update is indeed necessary.

We’ll announce here and on Twitter what happens, either way.

The vulnerability (whatever it is) only affects the Go 1.5 compiler/library, which means that Syncthing versions up to and including v0.12.3 are not affected as they were built with Go 1.4 and earlier. That leaves v0.12.4 through v0.12.12 potentially affected.

The Windows version is currently built with Go 1.6beta, which is presumably also affected. We’ll evaluate what to do there based on what we know on Wednesday.


This seems to be the same problem as CVE-2015-3193 which, while a problem, doesn’t seem to be exploitable in Syncthing as we don’t reuse DHE keys between connections (as far as I can tell)… We’ll release anyway.

Can you share a link to the announcement from Go?

https://groups.google.com/forum/#!topic/golang-nuts/lXeB-v400ZM and http://www.openwall.com/lists/oss-security/2015/12/21/6