limetech Posted May 27, 2022 Share Posted May 27, 2022 This release contains Security fixes, a Data Corruption mitigation, bug fixes and other minor improvements. To upgrade: First create a backup of your USB flash boot device: Main/Flash/Flash Backup If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page. If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page. If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: https://unraid-dl.sfo2.cdn.digitaloceanspaces.com/stable/unRAIDServer.plg Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report. Thank you to all Moderators, Community Developers and Community Members for reporting bugs, providing information and posting workarounds. Please remember to make a flash backup! Data Corruption possible with tg3 driver when Intel VT-d is enabled. The combination of Linux 5.15 kernel, tg3 driver, and Intel VT-d enabled appears to be causing data corruption. This has been verified on several platforms which include a Broadcom NetXtreme Gigabit Ethernet NIC (note: there may be others). This release includes the following workaround: Very early in server startup (rc.S) if Intel VT-d is detected enabled, then the script will unconditionally create the file: /etc/modprobe.d/tg3.conf with following content: blacklist tg3 Hence by default if VT-d is enabled, which is to say, it has not been disabled in either bios or via kernel "intel_iommu=off", then we are going to blacklist the tg3 driver on all platforms. What if someone has a platform where tg3 does not give them any trouble with VT-d enabled? In this case they must create an empty file on their flash device: config/modprobe.d/tg3.conf When the startup sequence continues it will get to the point where it executes: install -p -m 0644 /boot/config/modprobe.d/* /etc/modprobe.d A blank tg3.conf file stored on the flash then effectively un-blacklists it. There will be users who will lose network connectivity because their NIC is blacklisted. If you are running on a problematic platform you should go into your bios and disable VT-d. If this is a platform without issue, then you will need to create the blank tg3.conf file on your flash config/modprobe.d directory. It may take some time to identify and integrate a proper fix for this issue, at which point we will remove the auto-blacklisting code. I want to thank @JorgeB for his incredible help in identifying and isolating this issue. Security-related Changes The Firefox browser and has been updated to version 100.0.2 to address a very nasty security vulnerability. If you use Firefox we also suggest upgrading on all platforms. We fixed an issue where webGUI login could accept a password from a user other than 'root', if that username included the string 'root'. The Linux kernel was updated to 5.15.43 to address a "security bypass" vulnerability. Other Changes On Management Access page, for the "Use SSL/TLS" setting we changed the word "Auto" to "Strict" in the drop-down menu. This better describes the action of this setting. Docker manager now uses Docker label for icons as fallback. VM manager now gives the option of using LibVirt networks in addition to bridges without having to edit the VM's XML. Improved handling of custom SSL certificates. [6.10.1] Fix regression: support USB flash boot from other than partition 1 other misc. bug fixes Version 6.10.2 2022-05-27 Base distro: firefox AppImage: version: 100.0.r20220519220738 (CVE-2022-1802 CVE-2022-1529) Linux kernel: version 5.15.43-Unraid (CVE-2022-21499) Management: nginx: avoid appending default port number to redirect URLs nginx: self-signed cert file: accept common name and all alternate names startup: fix multiple network interfaces being assigned the same MAC address startup: blacklist tg3 by default if Intel VT-d is enabled webgui: Management Access: Use SSL/TLS setting: change the word 'Auto' to 'Strict' webgui: Fixed: smGlue not included when selecting a controller webgui: Fixed: allow share names with embedded ampersand webgui: add LXC terminal support (for LXC Plugin) webgui: Docker Web UI to use Docker label for icons as fallback webgui: VM Manager: support libvirt networks (make libvirt networks accessible via gui) webgui: fix issue where 'root' login works with password from another username which includes string 'root' webgui: Update OS page spelling corrction: warninging -> warning webgui: helptext review: minor corrections Version 6.10.1 2022-05-21 Management: startup: fix regression: support USB flash boot from other than partition 1 2 4 1 Quote Link to comment
SpencerJ Posted May 27, 2022 Share Posted May 27, 2022 Unraid OS Version 6.10.2 Now Available Have a great weekend all! 1 1 Quote Link to comment
jtech007 Posted May 27, 2022 Share Posted May 27, 2022 Upgraded from 6.9.2 to 6.10.1 a few days ago. Just upgraded to 6.10.2 today. No issues with either upgrade. Quote Link to comment
handspiker2 Posted May 27, 2022 Share Posted May 27, 2022 Quote webgui: fix issue where 'root' login works with password from another username which includes string 'root' How long has that been insecure? Also how was that not caught by unit tests? "Login doesn't accept trailing characters" is a pretty rudimentary test case for a security system. Quote Link to comment
blaine07 Posted May 27, 2022 Share Posted May 27, 2022 How does this affect those of us with Dells turning iommu=on? Quote Link to comment
blaine07 Posted May 27, 2022 Share Posted May 27, 2022 (edited) Post says “Broadcom NetXtreme Gigabit Ethernet NIC (note: there may be others).” are affected but what about “NetXtreme II”? Would they be affected? See attached pic. Edited May 27, 2022 by blaine07 Quote Link to comment
limetech Posted May 28, 2022 Author Share Posted May 28, 2022 38 minutes ago, blaine07 said: Post says “Broadcom NetXtreme Gigabit Ethernet NIC (note: there may be others).” are affected but what about “NetXtreme II”? Would they be affected? See attached pic. Does it use 'tg3' driver? Quote Link to comment
blaine07 Posted May 28, 2022 Share Posted May 28, 2022 (edited) 3 minutes ago, limetech said: Does it use 'tg3' driver? No, it appears not “lsmod | grep tg3” says no but having changed the IOMMU thing how do you recommend I proceed? Leave or remove that startup change? If it turns Intel IOMMU on but the changes turn it off will their be conflict? see attached pic Edited May 28, 2022 by blaine07 Quote Link to comment
limetech Posted May 28, 2022 Author Share Posted May 28, 2022 2 hours ago, handspiker2 said: How long has that been insecure? Also how was that not caught by unit tests? "Login doesn't accept trailing characters" is a pretty rudimentary test case for a security system. Issue was introduced at the beginning of 6.10-rc series when we introduced code to require a root password and add brute-force mitigations. Does not have to do with sanitizing input from a form but rather server-side extraction of the record from /etc/shadow file. You can examine the one-line fix here. Quote Link to comment
limetech Posted May 28, 2022 Author Share Posted May 28, 2022 8 minutes ago, blaine07 said: “lsmod | grep tg3” says no but having changed the IOMMU thing how do you recommend I proceed? Leave or remove that startup change? If it turns Intel IOMMU on but the changes turn it off will their be conflict? By "change" if you mean code added in this release to blacklist 'tg3' - it does not enable/disable Intel IOMMU. It detects if Intel VT-d is enabled, and if so, auto-blacklists 'tg3' - that' s it. I think the issue you are referring to is unrelated. Can't remember atm, but isn't this issue with older Dell's? Older platforms, such as GEN8 Microservers have buggy bios which does not reset/virtualization correctly and manufacturers have no appetite to go fix. Quote Link to comment
blaine07 Posted May 28, 2022 Share Posted May 28, 2022 3 minutes ago, limetech said: By "change" if you mean code added in this release to blacklist 'tg3' - it does not enable/disable Intel IOMMU. It detects if Intel VT-d is enabled, and if so, auto-blacklists 'tg3' - that' s it. I think the issue you are referring to is unrelated. Can't remember atm, but isn't this issue with older Dell's? Older platforms, such as GEN8 Microservers have buggy bios which does not reset/virtualization correctly and manufacturers have no appetite to go fix. Sorry, on the tg3 I didn’t really understand. Ultimately just trying to determine it is safe for me to upgrade. Can rollback if necessary so no harm no foul. Yes, the BZROOTIMG thing is related to older-ish Dells. First I’ve heard about not resetting virtualization correctly though so not sure there?? 🤔 Thank you for the insight; thank you for your time to help me understand a little bit here. Thanks! Quote Link to comment
handspiker2 Posted May 28, 2022 Share Posted May 28, 2022 17 minutes ago, limetech said: Issue was introduced at the beginning of 6.10-rc series when we introduced code to require a root password and add brute-force mitigations. Does not have to do with sanitizing input from a form but rather server-side extraction of the record from /etc/shadow file. You can examine the one-line fix here. Oh, that's not too bad! also TIL: the webgui has a public github! 1 Quote Link to comment
blaine07 Posted May 28, 2022 Share Posted May 28, 2022 FWIW got my T610 upgraded from 6.10.0 to .2 without incident! Thank you; and good work folks as usual!! 1 Quote Link to comment
JorgeB Posted May 28, 2022 Share Posted May 28, 2022 6 hours ago, blaine07 said: Post says “Broadcom NetXtreme Gigabit Ethernet NIC (note: there may be others).” are affected but what about “NetXtreme II”? Would they be affected? Different driver: 01:00.0 Ethernet controller [0200]: Broadcom Inc. and subsidiaries NetXtreme II BCM5709 Gigabit Ethernet [14e4:1639] (rev 20) DeviceName: Embedded NIC 1 Subsystem: Dell PowerEdge T610 BCM5709 Gigabit Ethernet [1028:0237] Kernel driver in use: bnx2 Kernel modules: bnx2 As far as we know, not affected, so far all affected servers I found, about 10 in total, were using a NIC with the tg3 driver and that appears to be the only thing they had in common. 1 1 Quote Link to comment
PaulV86 Posted May 28, 2022 Share Posted May 28, 2022 (edited) ***Data Corruption possible with tg3 driver when Intel VT-d is enabled.*** Cloud this not have been mentioned in the changelog as a warning? Or noted more clearly on there? Not everyone goes to the forum prior to updating! I did read the Change log, but there is no mention of this in the Change log which is shown on the server! And as I am not reading the Beta forum every day: I have a HP MicroServer Gen 8 with a E3-1265LV2, and had a very nasty suprise of a server which was unreachable with the error "ETH0 Not found". Edited May 28, 2022 by PaulV86 4 Quote Link to comment
Oceanic Posted May 28, 2022 Share Posted May 28, 2022 I have just updated from v6.10.0 to v6.10.2 and now I can't remotely connect to the server, I also have a HP MicroServer Gen8 with a E3-1265LV2 Connecting up a monitor locally I see the following messages on bootup Starting mcelog daemon: /usr/sbin/mcelog --daemon Device "eth0" does not exist Cannot find device "eth0" I'm unclear how to get the system back up an running, any help appreciated Thanks Quote Link to comment
JorgeB Posted May 28, 2022 Share Posted May 28, 2022 1 minute ago, Oceanic said: I'm unclear how to get the system back up an running, any help appreciated It's in the release notes, since that server is known to have issues with vt-d enable you should disable it, you can do that in the BIOS or by adding 'intel_iommu=off' to syslinux.cfg Quote Link to comment
Oceanic Posted May 28, 2022 Share Posted May 28, 2022 Thanks JorgeB For people who are fairly new to this (like me), here are the instructions on how to fix this on a HP MicroServer Gen 8 with a E3-1265LV2 Reboot the server During bootup press F9 to enter the bios. Once the bios is loaded enter the menu System Options -> Processor Options -> Intel(R) VT-d Set it to disabled Press Esc to get to the top menu again Press F10 to exit the bios and save The server should now boot again as normal 5 1 Quote Link to comment
Tolete Posted May 28, 2022 Share Posted May 28, 2022 upgraded '6.10.1 > 6.10.2' REMOTELY, without problems. 🖖 1 Quote Link to comment
limetech Posted May 28, 2022 Author Share Posted May 28, 2022 2 hours ago, Oceanic said: Thanks JorgeB For people who are fairly new to this (like me), here are the instructions on how to fix this on a HP MicroServer Gen 8 with a E3-1265LV2 Reboot the server During bootup press F9 to enter the bios. Once the bios is loaded enter the menu System Options -> Processor Options -> Intel(R) VT-d Set it to disabled Press Esc to get to the top menu again Press F10 to exit the bios and save The server should now boot again as normal Thanks for the instructions! Added to release notes: https://wiki.unraid.net/Unraid_OS_6.10.2#How_to_Disable_Intel_VT-d_on_HP_MicroServer_Gen_8_with_a_E3-1265LV2 1 Quote Link to comment
hiddenpcmaster Posted May 28, 2022 Share Posted May 28, 2022 Captains Log: Stardate-52822 I just Upgraded from 6.9.2 to 6.10.2 With all the activity in the forums about some issues relating to 6.10, I opted to wait until the next release. I'm happy to report NO ISSUES. Thank you all for the hard work, everything is working! 1 Quote Link to comment
limetech Posted May 28, 2022 Author Share Posted May 28, 2022 1 hour ago, hiddenpcmaster said: Captains Log: Stardate-52822 I just Upgraded from 6.9.2 to 6.10.2 With all the activity in the forums about some issues relating to 6.10, I opted to wait until the next release. I'm happy to report NO ISSUES. Thank you all for the hard work, everything is working! Your Stardate seems off https://www.stoacademy.com/tools/stardate.php 1 6 Quote Link to comment
vmrkumar Posted May 28, 2022 Share Posted May 28, 2022 I am getting following error when update from 6.9.2 plugin: updating: unRAIDServer.plg plugin: downloading: https://unraid-dl.sfo2.cdn.digitaloceanspaces.com/stable/unRAIDServer-6.10.2-x86_64.zip ... failed (Network failure) plugin: https://unraid-dl.sfo2.cdn.digitaloceanspaces.com/stable/unRAIDServer-6.10.2-x86_64.zip download failure (Network failure) Quote Link to comment
Squid Posted May 28, 2022 Share Posted May 28, 2022 Network failure *implies* an issue with your configuration (wrong DNS addresses / gateway) or the date & time completely wrong etc. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.