[Bug 206225] net/syncthing: security update to 1.12.13
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Jan 14 05:25:41 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206225
Bug ID: 206225
Summary: net/syncthing: security update to 1.12.13
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: swills at FreeBSD.org
Reporter: peter at FreeBSD.org
Assignee: swills at FreeBSD.org
Flags: maintainer-feedback?(swills at FreeBSD.org)
Created attachment 165544
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165544&action=edit
Patch for syncthing 1.12.3 -> 1.12.13.
The golang TLS private key leak requires all downstream packages to be rebuilt
and reinstalled. As there is no runtime dependency for pkg to track to
determine whether the fixed 1.5.3 was used or not for the static linking data
source, all lang/go consumers need a bump. It just so happens that syncthing
has a version bump specifically for this. The particular vulnerability is
easiest to exploit on 32 bit systems, but 64 bit are still vulnerable in theory
as well.
https://forum.syncthing.net/t/security-update-syncthing-v0-12-13/6548
I've attached an initial update for net/syncthing and friends. I've added a
hard requirement for a minimum go version as well.
I think syncthing <= 1.12.12 (and all other golang consumers that use the TLS
code) should have vuxml entry.
We're using this on the freebsd.org cluster but a sanity check is required.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list