Date: Thu, 14 Jan 2016 05:25:40 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 206225] net/syncthing: security update to 1.12.13 Message-ID: <bug-206225-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206225 Bug ID: 206225 Summary: net/syncthing: security update to 1.12.13 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: swills@FreeBSD.org Reporter: peter@FreeBSD.org Assignee: swills@FreeBSD.org Flags: maintainer-feedback?(swills@FreeBSD.org) Created attachment 165544 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D165544&action= =3Dedit Patch for syncthing 1.12.3 -> 1.12.13. The golang TLS private key leak requires all downstream packages to be rebu= ilt and reinstalled. As there is no runtime dependency for pkg to track to determine whether the fixed 1.5.3 was used or not for the static linking da= ta source, all lang/go consumers need a bump. It just so happens that syncthi= ng has a version bump specifically for this. The particular vulnerability is easiest to exploit on 32 bit systems, but 64 bit are still vulnerable in th= eory as well.=20 https://forum.syncthing.net/t/security-update-syncthing-v0-12-13/6548 I've attached an initial update for net/syncthing and friends. I've added a hard requirement for a minimum go version as well. I think syncthing <=3D 1.12.12 (and all other golang consumers that use the= TLS code) should have vuxml entry. We're using this on the freebsd.org cluster but a sanity check is required. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206225-13>