January 23, 20251 yr Why is this plugin being called out as an Error from the FixProblems plugin? I don't believe it belongs in the category of Error. Should be downgraded to Warning.
January 23, 20251 yr Patches are installed after you're notified about them (or manually check for them) When you reboot your server If in the GUI you manually install them.
January 23, 20251 yr Author 2 minutes ago, DiscoverIt said: How does the plugin remove stored patches fixed with a new release? The patches themselves can be found on your flash drive in /boot/config/plugins/unraid.patch/[version] Storing them by version means that patches for older releases are automatically ignored when you change versions, but remain available if you roll back. Their size is negligible
January 23, 20251 yr Additionally, if when upgrading the OS and patches are available that aren't in the new OS version they are also automatically downloaded and installed when you reboot for the upgrade.
January 23, 20251 yr In theory there is now at any given moment a potential for 4 stable releases? Current stable options: 6.12.15 6.12.15+patch (not existent but could) 7.0 7.0+patch (not existent but could) Is it going to be whether or not a reboot is required is what determines a patch in the plugin sense vs a patchfix release? Or will this only be used for versions no longer supported per the new licensing? It just has an odd mouth feel that 6.12.15 is a patch release but you could also have 6.12.15+patch. Maybe 6.12.15 should be renamed a bug fix release (major.minor.bugfix+patch)? Edited January 23, 20251 yr by DiscoverIt
January 23, 20251 yr Have I understood correctly? Once I install it and click "accept" in its tools page this plugin will: Automatically download patches to /boot/config/plugins/unraid.patch/[version] Send a notification when it has done so But the system behaviour will not change until I manually reboot, at which point the patches will be applied to whatever base version I'm running. As a corollary, does that mean if a patch causes problems I can disable the Unraid Patch plugin, delete the offending patch(es) from /boot/config/plugins/unraid.patch/[version], and on rebooting I will be back to the unpatched state of whatever version I'm on?
January 23, 20251 yr Could someone please clarify here, are the proposed patches likely to have any issues with windows 11 connecting to to the server(s) I have already had issues in that respect with Windows 11 security and I definitely do not want to revisit the problems again by adding security patches to the servers that Windows 11 is going to be unhappy to connect to.
January 24, 20251 yr 10 hours ago, T0rqueWr3nch said: I am concerned about its "autoinstall" As previously mentioned, updates to the plugin will be coming
January 24, 20251 yr 4 hours ago, SarahAS2 said: But the system behaviour will not change until I manually reboot, at which point the patches will be applied to whatever base version I'm running. Or if within the GUI for the plugin (Tools - Unraid Patch) you hit "Install" 4 hours ago, SarahAS2 said: I will be back to the unpatched state Uninstalling the plugin alone (and rebooting) will set you back in the "unpatched" (not-recommended) OS
January 24, 20251 yr Author The patch plugin was created to facilitate fixing certain security issues in the Unraid OS webGUI for older Unraid OS releases. We wanted to give users on older releases a quick and easy way to apply these fixes without having to update to the latest Unraid OS releases immediately. The plugin stores the patches on your flash drive in /boot/config/plugins/unraid.patch/[version] Visit Tools > Unraid Patch to install them without needing to reboot. On reboot they will automatically be reinstalled. To remove the patches and get back to stock, uninstall the plugin and reboot. The patch released yesterday solves a security problem with older versions of Unraid. Unraid 6.12.15 and 7.0.0 have the fixes built in, so strictly speaking they do not need to have the patch plugin installed at this time. However this can be a powerful tool to aide in not only installing critical security updates in a timely manner, but also fixing bugs without having to wait for a full release. For this reason we recommend having the plugin installed on all versions of Unraid.
January 24, 20251 yr On 1/23/2025 at 10:16 AM, Sn3akyP3t3 said: Why is this plugin being called out as an Error from the FixProblems plugin? I don't believe it belongs in the category of Error. Should be downgraded to Warning. Agreed...Or even just a notice. It kind of freaked me out when I upgraded to 6.12.15 and got an "Error Notice" sent to me. I am not 100% sure I want something auto pushed to me for an update seeing it can open up a door as mentioned. Not that you have not done all you can to secure the process...Kudos for making it as I can see how it could be important especially for a major security thing. And I like patches vs complete new versions when it calls for it. But for these patches, even notices are useable suggesting an update vs doing an auto push. And yes, I get it that it will not kick in until reboot...So if that is the case, it could be a notice to install and reboot and not just auto downloaded. Just in case I reboot for some reason, and I did not want the the patch, the patch would be applied if I had forgotten it was downloaded. I know I can go in and remove the patch, but it would then just auto download again, I think.) Oh, as I was typing a new post came in... "To remove the patches and get back to stock, uninstall the plugin and reboot." ... But then I will get a ERROR Notice again. Thank you. Edited January 24, 20251 yr by David Bott
January 24, 20251 yr Author Yes this is a net new process and we needed to get it out. We're working on tweaks to give users more control. We can work on the FCP message. To clarify, today if you are on a version that has a patch available (6.10.0-6.12.13) you need to visit Tools > Unraid Patch to install the patch without rebooting. There are currently no patches for 6.12.14+ or 7.0.0+ but we do recommend having the plugin installed as mentioned above.
January 24, 20251 yr 14 minutes ago, David Bott said: ERROR Notice It can be ignored in FCP if that's what you decide
January 24, 20251 yr On 1/23/2025 at 5:20 PM, Squid said: Patches are installed after you're notified about them (or manually check for them) When you reboot your server If in the GUI you manually install them. This is an extremely bad security practice, allow a plugin to automatically modify my server without my intervention or approval. What is the plugin is compromise? The installation of patches should require human intervention to accept Does this plugin do hot patching? or is always going to require a reboot? Does this sound familiar?? Vulnerability 4: Community Applications Repository Takeover Description GitHub repositories used by the Community Applications app feed could be transferred to another owner, opening the possibility of hijacking the application templates. Details Type: Improper Access Control Impact: Code Execution Attack Vector: Requires an attacker to transfer a GitHub repository associated with a Community Application, which could then be used to submit malicious templates to the feed. Affected Versions: Application feed prior to 11/12/2024 Resolution: Policies were hardened around renaming repositories. Updates to the Community Application Feed backend deployed on 11/12/2024 resolved this issue. Acknowledgments George Hamilton Mitigation The Community Applications app feed now detects repository transfers and blocks for manual review. No action needed by users, although we recommend upgrading to the latest Community Applications plugin. Edited January 24, 20251 yr by L0rdRaiden
January 24, 20251 yr Author Please see my previous posts, we're working on tweaks to give users more control.
January 25, 20251 yr 9 hours ago, ljm42 said: Please see my previous posts, we're working on tweaks to give users more control. may i suggest updating the top comment to clarify this from the beginning? I believe a lot of people like myself and others already will be coming here with this question, and they shouldn't have to read two pages of comments for this answer.
January 25, 20251 yr I'm on 6.12.10 right now, and I installed the plugin and installed the patch a few days ago. Overnight last night I got a notification of a critical update, this morning I went in and checked and it said I already had it installed. Notification: Critical Update: 26-01-2025 04:30 AM Critical Update Available Critical Updates Are Available For Your Unraid Server Tool: No new patches found! The following patches are already installed and will be reinstalled automatically when your server boots 1.0.0 Notes This patch fixes a subset of known security issues. For more information see this blog post. Bug Fixes Fix Reflected XSS issues in 6.12.10 Interestingly syslog even identifies that it was already installed: Jan 26 04:30:01 unraid root: Checking for patches for OS version 6.12.10 Jan 26 04:30:02 unraid root: Skipping 20250118234703-pr243.patch-- Already installed
January 26, 20251 yr Going to ignore this "error" in FCP for now. I'm on 6.12.15 at the moment, which mitigates the known vulnerabilities from what I've read. This "patch" process seems way too "knee jerk" for me so I'm going to sit back and monitor, which falls in line with what I do regarding new releases and such (i.e. I'm not an early/first day adopter). Thanks for the efforts, nonetheless. As this matures, I will likely embrace it.
January 26, 20251 yr Side note: the Licence url associated to this plugin open a totally not Unraid related repository: https://github.com/maubot/maubot/blob/master/LICENSE
January 26, 20251 yr On 1/22/2025 at 11:55 PM, ljm42 said: The source for the plugin itself is available here: https://github.com/unraid/unraid.patch The patches that it installs can be found on your flash drive in /boot/config/plugins/unraid.patch/[version] Another side note: as this github repository is used to deploy fix(es) on a live server, it could be nice to have the signature verification enabled on your commit to avoid future issue. I see you do it (not all the time) on other Unraid repositories so it should be feasible without too much headache on your side. And I'm all for an alert before application of the patch so i can review the potential impact on my setup and decide if it's relevant or can be delayed for a patch day.
January 26, 20251 yr 48 minutes ago, JeanR said: Side note: the Licence url associated to this plugin open a totally not Unraid related repository: https://github.com/maubot/maubot/blob/master/LICENSE It's just a link to a licence wording.
January 26, 20251 yr 19 hours ago, warpspeed said: I'm on 6.12.10 right now, and I installed the plugin and installed the patch a few days ago. Overnight last night I got a notification of a critical update, this morning I went in and checked and it said I already had it installed. Thanks for finding. An update to the plugin will be released later today
January 26, 20251 yr The just released update (2025.01.26) should fix the spurious background check returning on occasion a false positive notification
January 29, 20251 yr patching file sbin/mover Hunk #1 FAILED at 72. 1 out of 1 hunk FAILED -- saving rejects to file sbin/mover.rej Failed to install patch 20250128204439-pr271.patch Aborting I get this error when installing the latest patches for 7.0. I'm 99% sure it's because I use the mover fine tuning plugin. It seems the like other patches worked, so I will ignore.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.