| code | #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2018-45.
#
# The text description of this plugin is (C) SUSE LLC.
#
include("compat.inc");
if (description)
{
script_id(106072);
script_version("3.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
script_cve_id("CVE-2017-1000420");
script_name(english:"openSUSE Security Update : syncthing (openSUSE-2018-45)");
script_summary(english:"Check for the openSUSE-2018-45 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"This update for syncthing brings a new version and fixes the following
issues :
- Update to version 0.14.42 :
- Discovering new files in a deleted directory does not
resurrect the directory (gh#syncthing/syncthing#4475).
- 'Panic: interface conversion: *errors.errorString is not
net.Error' after restart (gh#syncthing/syncthing#4561).
- Auto-accept shared directories from trusted devices
(gh#syncthing/syncthing#2299).
- Empty directories in .stversions should be removed
(gh#syncthing/syncthing#4406).
- Human readable errors on attempted deletion of a
non-empty directory (gh#syncthing/syncthing#4476).
- Add confirmation on the Remove Folder / Device button
(gh#syncthing/syncthing#4543).
- Update to version 0.14.41 :
- Devices with ignored files stay 'synchronising' forever
(gh#syncthing/syncthing#623).
- No Global Discovery without Synch Protocol Listen
Address (gh#syncthing/syncthing#4418).
- Local network classification doesn't always work
(gh#syncthing/syncthing#4421).
- Hashed GUI password should not be rehashed
(gh#syncthing/syncthing#4458).
- Pulls not triggered correctly on reconnection
(gh#syncthing/syncthing#4504).
- A symlink/file replacement doesn't work properly
(gh#syncthing/syncthing#4505).
- File/directory replacement doesn't work properly
(gh#syncthing/syncthing#4506).
- Logging at info level and above should always include
context (gh#syncthing/syncthing#4510).
- Panic in 'pfilter' package on 32 bit architectures
(gh#syncthing/syncthing#4537).
- Allow synchronising read-only directories as 'Master
Directories' (gh#syncthing/syncthing#1126).
- 'Global Changes' button is confusing, retitle to 'Recent
Changes' (gh#syncthing/syncthing#4326).
- Dial device addresses in parallel
(gh#syncthing/syncthing#4456).
- Avoid lots and lots of announced addresses in the
presence of symmetric NAT (gh#syncthing/syncthing#4519).
- Split transport usage reporting per stack
(gh#syncthing/syncthing#4463).
- Update to version 0.14.40 :
- Report more data part of the anonymous usage report
(gh#syncthing/syncthing#3628)
- Better report synchronisation errors
(gh#syncthing/syncthing#4392).
- Removing paused directories no longer causes a panic
(gh#syncthing/syncthing#4405).
- Make local IPv4 discovery more resilient against write
failures (gh#syncthing/syncthing#4414).
- Clearer logging around config failures at startup
(gh#syncthing/syncthing#4431).
- Do not complain about inability to fsync files
(gh#syncthing/syncthing#4432).
- Improve KCP connections (gh#syncthing/syncthing#4446).
- Improve directory health checking
(gh#syncthing/syncthing#4451).
- Include built-in support for file system notifications,
although it is disabled by default.
- Enable by default the UDP based 'KCP' protocol.
- Update to version 0.14.39 :
- Removing paused directories no longer triggers a crash
(gh#syncthing/syncthing#4357).
- Add further security related HTTP headers
(gh#syncthing/syncthing#4360).
- Improve info level logging in some cases
(gh#syncthing/syncthing#4375).
- Improve GUI tooltips in chromium based browsers
(gh#syncthing/syncthing#4377).
- Add -device-id command line switch
(gh#syncthing/syncthing#4387).
- Failure to upgrade directory markers from file to
directory type is no longer fatal.
- Update to version 0.14.38 :
- KCP connections are now more stable
(gh#syncthing/syncthing#4063,
gh#syncthing/syncthing#4343)
- Hashing benchmarks are skipped if a manual selection has
been forced (gh#syncthing/syncthing#4348).
- Relay server RAM usage has been reduced
(gh#syncthing/syncthing#4245).
- Update to version 0.14.37 (changes since 0.14.32) :
- Relative version paths are now correctly relative to the
directory path (gh#syncthing/syncthing#4188).
- Remote devices now show bytes remaining to synchronise
(gh#syncthing/syncthing#4227).
- Editing ignore patterns no longer incorrectly shows
included patterns (gh#syncthing/syncthing#4249).
- The new directory dialogue now suggests a default path.
Adjustable via advanced config defaultFolderPath
(gh#syncthing/syncthing#2157).
- The build script no longer sets -installsuffix by
default (gh#syncthing/syncthing#4272).
- Prevent a vulnerability that allows file overwrite via
versioned symlinks (CVE-2017-1000420, boo#1074428,
gh#syncthing/syncthing#4286).
- Symlinks are deleted from versioned directories on
startup (gh#syncthing/syncthing#4288).
- Directory paths are no longer reset when editing a
directory without a label (gh#syncthing/syncthing#4297).
- Better detect synchronisation conflicts that happen
while synchronising (gh#syncthing/syncthing#3742,
gh#syncthing/syncthing#4305).
- Fix a crash related to a nil reference in ignore
handling (gh#syncthing/syncthing#4300).
- Stop requiring golang.org/x/net/context.
- Update to version 0.14.32 :
- 'Nearby devices' are now shown in the add device
dialogue, avoiding the need to type their device ID
(gh#syncthing/syncthing#4157).
- Directories that were once ignored in a sharing request
now actually work properly when later added manually
(gh#syncthing/syncthing#4219).
- Update to version 0.14.31 (changes since 0.14.29) :
- Correctly clear warning 'path is a subdirectory of other
folder' in directory dialogue
(gh#syncthing/syncthing#3433).
- Conflict copies filename now includes the ID of the last
device to change the file (gh#syncthing/syncthing#3524).
- Directories offered by other devices can now be ignored
(gh#syncthing/syncthing#3993).
- Changed device name takes effect with restart; device
name is not sent to unknown devices
(gh#syncthing/syncthing#4164).
- Correctly show CPU usage when started with -no-restart
option (gh#syncthing/syncthing#4183).
- Icons and directory information in local device summary
is consistent with that in directories
(gh#syncthing/syncthing#4100).
- Fix a data race in KCP & STUN
(gh#syncthing/syncthing#4177).
- Ignore patterns on newly accepted directories are no
longer erroneously inherited from an earlier added
directory (gh#syncthing/syncthing#4203).
- Update to version 0.14.29 :
- The layout of the global changes dialogue is improved
(gh#syncthing/syncthing#3895).
- Running as root or SYSTEM now triggers a warning
recommending against it (gh#syncthing/syncthing#4123).
- Changing the theme no longer causes an HTTP error
(gh#syncthing/syncthing#4127).
- Update to version 0.14.28 :
- It is now possible to create custom event subscriptions
via the REST API (gh#syncthing/syncthing#1879).
- Removing large directories now uses less memory
(gh#syncthing/syncthing#2250).
- The minimum disc space (per directory and for the home
drive) can now be set to an absolute value
(gh#syncthing/syncthing#3307).
- Pausing or reconfiguring a directory will no longer
start extra scans. Pausing a directory stops scanning
(gh#syncthing/syncthing#3965).
- Ignore patterns can now be set at directory creation
time, and for paused directories
(gh#syncthing/syncthing#3996).
- It is no longer possible to configure the GUI/API to
listen on a privileged port using the standard settings
dialogue (gh#syncthing/syncthing#4020).
- The device allowed subnet list can now include negative
('!') entries to disallow subnets
(gh#syncthing/syncthing#4096).
- Doing 'Override changes' now uses less memory
(gh#syncthing/syncthing#4112).
- Require golang.org/x/net/context on openSUSE older than
openSUSE Leap 15.x.
- Update to version 0.14.27 :
- Devices can now have a list of allowed subnets (advanced
config) (gh#syncthing/syncthing#219).
- The transfer rate units can now be changed by clicking
on the value (gh#syncthing/syncthing#234).
- UI text explaining 'Introducer' is improved
(gh#syncthing/syncthing#1819).
- Advanced config editor can now edit lists of things
(gh#syncthing/syncthing#2267).
- Directories created for new directories now obey the
user umask setting (gh#syncthing/syncthing#2519).
- Incoming index updates are consistency checked better
(gh#syncthing/syncthing#4053).
- Update to version 0.14.26 :
- Discovery errors are more clearly displayed in the GUI
(gh#syncthing/syncthing#2344).
- The language dropdown menu in the GUI is now correctly
sorted (gh#syncthing/syncthing#3913).
- When there are items that could not be synced, their
full path is displayed in the GUI.
- Update to version 0.14.25 :
- Improve 'Pause All'/'Resume All' icons
(gh#syncthing/syncthing#4003).
- There are now mips and mipsle builds by default
(gh#syncthing/syncthing#3959).
- The 'overwriting protected files' warning now correctly
handles relative paths to the config directory
(gh#syncthing/syncthing#3183).
- The experimental KCP protocol for transfers over UDP has
been merged, although it's not currently enabled by
default (gh#syncthing/syncthing#804).
- Update to version 0.14.24 :
- lib/sync: Fix a race in unlocker logging
(gh#syncthing/syncthing#3884).
- Make links and log messages refer to https instead of
http where possible (gh#syncthing/syncthing#3976).
- The default number of parallel file processing routines
per directory is now two (previously one), and the
number of simultaneously outstanding network requests
has been increased.
- The UI now contains buttons to pause or resume all
directories with a single action.
- Update to version 0.14.23 (changes since 0.14.21) :
- Leading and trailing spaces are no longer stripped in
the GUI password field (gh#syncthing/syncthing#3935)
- The GUI shows remaining amount of data to sync per
directory (gh#syncthing/syncthing#3908).
- There should no longer be empty entries in the global
log (gh#syncthing/syncthing#3933).
- Weak hashing is now by default only enabled when it
makes sense from a performance point of view
(gh#syncthing/syncthing#3938).
- Update to version 0.14.21 (changes since 0.14.19) :
- There is now a warning when adding a directory that is a
parent of an existing directory
(gh#syncthing/syncthing#3197).
- Using -logfile flag together with -no-restart now causes
an error instead of silently failing
(gh#syncthing/syncthing#3912).
- Weak hashing is now disabled completely when the
threshold percentage is > 100
(gh#syncthing/syncthing#3891).
- Rate limiting now actually works on ARM64 builds again
(gh#syncthing/syncthing#3921).
- Fix an issue where UPnP port allocations would be
incorrect under some circumstances
(gh#syncthing/syncthing#3924).
- Weak hashing is a bit faster and allocates less memory.
- The hashing performance reported at startup now includes
weak hashing.
- The GUI 'network error' dialogue no longer shows up as
easily in some scenarios when using Syncthing behind a
reverse proxy.
- Update to version 0.14.19 :
- Changing bandwidth rate limits now takes effect
immediately without restart
(gh#syncthing/syncthing#3846)
- The event log (-audit) can now be directed to stderr for
piping into an another application
(gh#syncthing/syncthing#3859).
- A panic on directory listing at startup has been fixed
(gh#syncthing/syncthing#3584).
- When a directory is deleted, the .stfolder marker is
also removed. The ignore file and .stversions directory
are retained, if present (gh#syncthing/syncthing#3857).
- Several scenarios where a device would get stuck with
'not a directory' errors are now handled again
(gh#syncthing/syncthing#3819).
- Third-party copyrights in the about box are now more up
to date (gh#syncthing/syncthing#3839).
- Hashing performance has been improved
(gh#syncthing/syncthing#3861)
- Update to version 0.14.18 :
- Fix connections to older Syncthing versions being no
longer closed due to an unmarshalling message: 'proto:
wrong wireType = 2 for field BlockIndexes'
(gh#syncthing/syncthing#3855).
- Update to version 0.14.17 :
- Panics caused by corrupt on disc database are now better
explained in the panic message
(gh#syncthing/syncthing#3689).
- Statically configured device addresses without port
number now correctly defaulted to port 22000 again
(gh#syncthing/syncthing#3817).
- Inotify clients no longer cause 'invalid subpath' errors
to be displayed (gh#syncthing/syncthing#3829).
- Directories can now be paused
(gh#syncthing/syncthing#215).
- 'Master' directories are now called 'send only' in order
to standardise on a terminology of sending and receiving
changes (gh#syncthing/syncthing#2679).
- Pausing devices and directories now persists across
restarts (gh#syncthing/syncthing#3407).
- A rolling checksum is used to identify and reuse blocks
that have moved within a file
(gh#syncthing/syncthing#3527).
- Syncthing allows setting the type-of-service field on
outgoing packets, configured by the advanced setting
'trafficClass' (gh#syncthing/syncthing#3790).
- Which device introduced another device is now visible in
the GUI (gh#syncthing/syncthing#3809)."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074428"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected syncthing package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:syncthing");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
script_set_attribute(attribute:"patch_publication_date", value:"2018/01/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/16");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE42.2", reference:"syncthing-0.14.42-7.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"syncthing-0.14.42-3.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "syncthing");
}
|