Security update for syncthing (moderate)

An update that fixes one vulnerability is now available.

Description:

This update for syncthing fixes the following issues:

Update to 1.15.0/1.15.1

 * This release fixes a vulnerability where Syncthing and the relay
   server can crash due to malformed relay protocol messages
   (CVE-2021-21404); see GHSA-x462-89pf-6r5h. (boo#1184428)
 * This release updates the CLI to use subcommands and adds the
   subcommands cli (previously standalone stcli utility) and decrypt (for
   offline verifying and decrypting encrypted folders).
 * With this release we invite everyone to test the "untrusted
   (encrypted) devices" feature. You should not use it yet on important
   production data. Thus UI controls are hidden behind a feature flag.
   For more information, visit:
   https://forum.syncthing.net/t/testing-untrusted-encrypted-devices/16470

Update to 1.14.0

 * This release adds configurable device and folder defaults.
 * The output format of the /rest/db/browse endpoint has changed.

update to 1.13.1:

 * This release adds configuration options for min/max connections (see
   https://docs.syncthing.net/advanced/option-connection-limits.html) and
   moves the storage of pending devices/folders from the config to the
   database (see
   https://docs.syncthing.net/dev/rest.html#cluster-endpoints).
 * Bugfixes
 * Official builds of v1.13.0 come with the Tech Ui, which is impossible
   to switch back from

update to 1.12.1:

 * Invalid names are allowed and "auto accepted" in folder root path on
   Windows
 * Sometimes indexes for some folders aren't sent after starting Syncthing
 * [Untrusted] Remove Unexpected Items leaves things behind
 * Wrong theme on selection
 * Quic spamming address resolving
 * Deleted locally changed items still shown as locally changed
 * Allow specifying remote expected web UI port which would generate a
   href somewhere
 * Ignore fsync errors when saving ignore files

Update to 1.12.0

 - The 1.12.0 release
   - adds a new config REST API.
 - The 1.11.0 release
   - adds the sendFullIndexOnUpgrade option to control whether all index
     data is resent when an upgrade is detected, equivalent to starting
     Syncthing with --reset-deltas. This (sendFullIndexOnUpgrade=true)
     used to be the behavior in previous versions, but is mainly useful
     as a troubleshooting step and causes high database churn. The new
     default is false.

• Update to 1.10.0

  • This release adds the config option announceLANAddresses to enable
    (the default) or disable announcing private (RFC1918) LAN IP addresses
    to global discovery.

• Update to 1.9.0

  • This release adds the advanced folder option caseSensitiveFS
    (https://docs.syncthing.net/advanced/folder-caseSensitiveFS.html) to
    disable the new safe handling of case insensitive filesystems.

• Fix Leap build by requiring at least Go 1.14

• Prevent the build system to download Go modules which would require an
  internet connection during the build

• Update to 1.8.0

  • The 1.8.0 release
    • adds the experimental copyRangeMethod config on folders, for use on
      filesystems with copy-on-write support. Please see
      https://docs.syncthing.net/advanced/folder-copyrangemethod.html for
      details.
    • adds TCP hole punching, used to establish high performance TCP
      connections in certain NAT scenarios where only relay or QUIC
      connections could be used previously.
    • adds a configuration to file versioning for how often to run
      cleanup. This defaults to once an hour, but is configurable from
      very frequently to never.
  • The 1.7.0 release performs a database migration to optimize for
    clusters with many devices.
  • The 1.6.0 release performs a database schema migration, and adds the
    BlockPullOrder, DisableFsync and MaxConcurrentWrites folder
    options to the configuration schema. The LocalChangeDetected event no
    longer has the action set to added for new files, instead showing
    modified for all local file changes.
  • The 1.5.0 release changes the default location for the index database
    under some circumstances. Two new flags can also be used to affect the
    location of the configuration (-config) and database (-data)
    separately. The old -home flag is equivalent to setting both of these
    to the same directory. When no flags are given the following logic is
    used to determine the data location: If a database exists in the old
    default location, that location is still used. This means existing
    installations are not affected by this change. If $XDG_DATA_HOME is
    set, use $XDG_DATA_HOME/syncthing. If ~/.local/share/syncthing exists,
    use that location. Use the old default location.

• Update to 1.4.2:

  • Bugfixes:
    • #6499: panic: nil pointer dereference in usage reporting
  • Other issues:
    • revert a change to the upgrade code that puts unnecessary load on
      the upgrade server

• Update to 1.4.1:

  • Bugfixes:
    • #6289: “general SOCKS server failure” since syncthing 1.3.3
    • #6365: Connection errors not shown in GUI
    • #6415: Loop in database migration “folder db index missing” after
      upgrade to v1.4.0
    • #6422: “fatal error: runtime: out of memory” during database
      migration on QNAP NAS

• Enhancements:

  • #5380: gui: Display folder/device name in modal
  • #5979: UNIX socket permission bits
  • #6384: Do auto upgrades early and synchronously on startup

• Other issues:

  • #6249: Remove unnecessary RAM/CPU stats from GUI

• Update to 1.4.0:

  • Important changes:
    • New config option maxConcurrentIncomingRequestKiB
    • Replace config option maxConcurrentScans with maxFolderConcurrency
    • Improve database schema
  • Bugfixes:
    • #4774: Doesn’t react to Ctrl-C when run in a subshell with
      -no-restart (Linux)
    • #5952: panic: Should never get a deleted file as needed when we
      don’t have it
    • #6281: Progress emitter uses 100% CPU
    • #6300: lib/ignore: panic: runtime error: index out of range [0] with
      length 0
    • #6304: Syncing issues, database missing sequence entries
    • #6335: Crash or hard shutdown can case database inconsistency, out
      of sync
  • Enhancements:
    • #5786: Consider always running the monitor process
    • #5898: Database performance: reduce duplication
    • #5914: Limit folder concurrency to improve performance
    • #6302: Avoid thundering herd issue by global request limiter

• Change the Go build requirement to a more flexible “golang(API) >= 1.12”.

This update was imported from the openSUSE:Leap:15.2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Backports SLE-15-SP2:

  zypper in -t patch openSUSE-2021-713=1