openSUSE Security Update: Security update for syncthing
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0126-1
Rating:             moderate
References:         #1212085 
Cross-References:   CVE-2022-46165
CVSS scores:
                    CVE-2022-46165 (NVD) : 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
                    CVE-2022-46165 (SUSE): 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for syncthing fixes the following issues:

   - Update to 1.13.5

     * This release fixes CVE-2022-46165 “Cross-site Scripting (XSS) in Web
       GUI”

     * Bugfixes:

       #8503: "syncthing cli config devices add" reflect error when using
   --addresses flag #8764: Ignore patterns creating during folder addition
   are not loaded #8778: Tests fail on Windows with Go 1.20 #8779: Test
   cleanup fails all model tests on Windows on Go 1.20 #8859: Incorrect
   handling of path for auto accepted folder

     * Other issues:

       #8799: "fatal error: checkptr: converted pointer straddles multiple
   allocations" in crypto tests

   - Update to 1.23.4

     - Bugfixes:

       #8851: "Running global migration to fix encryption file sizes" on
   every start

   - Update to 1.23.3

     * Bugfixes:

       #5408: Selection of time in versions GUI not possible without editing
   the string inside the textfield #8277: Mutual encrypted sharing doesn't
   work (both sides with password) #8556: Increased file size when sharing
   between encrypted devices #8599: Key generation at connect time is slow
   for encrypted connections

     * Enhancements:

       #7859: Allow sub-second watcher delay (use case: remote development)

     * Other issues:

       #8828: cmd/stdiscosrv: TestDatabaseGetSet flake

   - Adding a desktop file for the Web UI

   - Update to 1.23.2

     * Bugfixes:

       #8749: Relay listener does not restart sometimes

     * Enhancements:

       #8660: GUI editor for xattr filter patterns #8781: gui: Remove
   duplicate Spanish translation

     * Other issues:

       #8768: Update quic-go for Go 1.20


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2023-126=1



Package List:

   - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

      syncthing-1.23.5-bp155.2.3.1
      syncthing-relaysrv-1.23.5-bp155.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2022-46165.html
   https://bugzilla.suse.com/1212085

openSUSE: 2023:0126-1 moderate: syncthing

June 16, 2023
An update that fixes one vulnerability is now available

Description

This update for syncthing fixes the following issues: - Update to 1.13.5 * This release fixes CVE-2022-46165 “Cross-site Scripting (XSS) in Web GUI” * Bugfixes: #8503: "syncthing cli config devices add" reflect error when using --addresses flag #8764: Ignore patterns creating during folder addition are not loaded #8778: Tests fail on Windows with Go 1.20 #8779: Test cleanup fails all model tests on Windows on Go 1.20 #8859: Incorrect handling of path for auto accepted folder * Other issues: #8799: "fatal error: checkptr: converted pointer straddles multiple allocations" in crypto tests - Update to 1.23.4 - Bugfixes: #8851: "Running global migration to fix encryption file sizes" on every start - Update to 1.23.3 * Bugfixes: #5408: Selection of time in versions GUI not possible without editing the string inside the textfield #8277: Mutual encrypted sharing doesn't work (both sides with password) #8556: Increased file size when sharing between encrypted devices #8599: Key generation at connect time is slow for encrypted connections * Enhancements: #7859: Allow sub-second watcher delay (use case: remote development) * Other issues: #8828: cmd/stdiscosrv: TestDatabaseGetSet flake - Adding a desktop file for the Web UI - Update to 1.23.2 * Bugfixes: #8749: Relay listener does not restart sometimes * Enhancements: #8660: GUI editor for xattr filter patterns #8781: gui: Remove duplicate Spanish translation * Other issues: #8768: Update quic-go for Go 1.20

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-126=1


Package List

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): syncthing-1.23.5-bp155.2.3.1 syncthing-relaysrv-1.23.5-bp155.2.3.1


References

https://www.suse.com/security/cve/CVE-2022-46165.html https://bugzilla.suse.com/1212085


Severity
Announcement ID: openSUSE-SU-2023:0126-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP5 .

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved