Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OpenSSL heartbleed Vulnerability

Featured Replies

Hey,  so I've checked the version currently used in Unraid 6 beta 3 and it's OpenSSL 1.0.1e which is affected by the bug announced yesterday. The next beta should be updated to OpenSSL 1.0.1g or anything in the 0.9.8 or 1.0.0 branches to prevent any hackers from gaining full access to your ram. 

 

This is especially bad in this case since the entire OS is stored in ram and the bug gives the attacker full access to everything in RAM.

 

Affected versions of OpenSSL are 1.0.1 to 1.0.1f (g is not affected nor are the other branches lower than 1.0.1)

This is especially bad in this case since the entire OS is stored in ram and the bug gives the attacker full access to everything in RAM.

 

This isn't true at all. They get a specific 64k segment which may or may not contain 'useful' data.

 

openssl in unraid may be vulnerable but if there is nothing in unraid built against it or actually using it for outward facing services then there should be no exposure.

 

I don't think emhttp runs over https so for 'stock' unraid does anything actually use it?

 

Third party plugins would be a completely seperate conversation.

 

And of course the overriding point is that the usual advice here is not to expose unraid to the internet. I personally don't have a problem with doing so but certainly 'out of the box' it wouldn't be a good idea.

 

Overall I suspect your vlnerability, for a standard unraid install, would be extremely low.

 

Currently, especially if your webGUI is password protected, there is a high chance that someone on your network could very easily gain access to your unRAID server. You transmit your password essentially in plain text over your network at the moment, which is something SSL is designed to prevent.

 

Even with the vulnerability, you'd still be safer now with OpenSSL than without.

 

If you're on a home network, it's not really worth worrying about... the risk is relatively low. If you're running unRAID in a corporate environment, you'd better be sure it's segregated from primary networks if you're even slightly worried about the contents of your server.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.