[Bug 206225] net/syncthing: security update to 1.12.13

Thu Jan 14 05:25:41 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206225

            Bug ID: 206225
           Summary: net/syncthing: security update to 1.12.13
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: swills at FreeBSD.org
          Reporter: peter at FreeBSD.org
          Assignee: swills at FreeBSD.org
             Flags: maintainer-feedback?(swills at FreeBSD.org)

Created attachment 165544
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165544&action=edit
Patch for syncthing 1.12.3 -> 1.12.13.

The golang TLS private key leak requires all downstream packages to be rebuilt
and reinstalled.  As there is no runtime dependency for pkg to track to
determine whether the fixed 1.5.3 was used or not for the static linking data
source, all lang/go consumers need a bump.  It just so happens that syncthing
has a version bump specifically for this.  The particular vulnerability is
easiest to exploit on 32 bit systems, but 64 bit are still vulnerable in theory
as well. 

https://forum.syncthing.net/t/security-update-syncthing-v0-12-13/6548

I've attached an initial update for net/syncthing and friends.  I've added a
hard requirement for a minimum go version as well.

I think syncthing <= 1.12.12 (and all other golang consumers that use the TLS
code) should have vuxml entry.

We're using this on the freebsd.org cluster but a sanity check is required.

-- 
You are receiving this mail because:
You are the assignee for the bug.