Unraid OS version 6.8.2 available

limetech

By limetech
in Announcements

Recommended Posts

limetech Veteran

limetech

Posted
Posted

Due to a security vulnerability discovered in forms-based authentication:

 

ALL USERS ARE STRONGLY ENCOURAGED TO UPGRADE

 

To upgrade:

  • If you are running any 6.4 or later release, click 'Check for Updates' on the Tools/Update OS page.
  • If you are running a pre-6.4 release, click 'Check for Updates' on the Plugins page.
  • If the above doesn't work, navigate to Plugins/Install Plugin, select/copy/paste this plugin URL and click Install: 
    https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer.plg

     

Refer also to @ljm42 excellent 6.4 Update Notes which are helpful especially if you are upgrading from a pre-6.4 release.

 

Bugs: If you discover a bug or other issue in this release, please open a Stable Releases Bug Report.

 

Overfiew

 

This is a bug fix and security update release.

 

  • Some users are reporting problems booting due to a crash in the in-tree Intel IGB ethernet driver.  We replaced the in-tree driver with latest out-of-tree driver.
  • We fixed a longstanding issue where LibreELEC/Kodi could not browse NFS shares.  The fix was to rebuild the rpcbind program, including a new option: --enable-rmtcalls
  • Version 6.8.1 included a new docker option "Host access to custom networks" (thanks @bonienl) but I left out a critical change in the rc.docker script, sorry about that, now fixed.
  • Fixed an encryption issue: if you first tried 'keyfile' method to specify encryption key, and that fails, any attempt to enter a passphrase would also fail, since a keyfile still exists, emhttpd used that as encryption key.  This is fixed in webGUI by detecting presence of an encryption keyfile and offering only to re-download a new keyfile or delete the current one.  Once deleted, you can then enter a passphrase.
  • Small change to properly support custom SSL wildcard certs (thanks @ljm42)
  • Updated kernel, wireguard, other base packages
  • Numerous webGUI fixes and refinements (thanks @bonienl, @Squid, @gfjardim)

 

A note regarding encryption passphrases:  There is a warning in the Help text for passphrase which reads:

Quote

It is highly advisable to only use the 95 printable characters from the first 128 characters of the ASCII table, as they will always have the same binary representation. Other characters may have different encoding depending on system configuration and your passphrase will not work with a different encoding. If you want a longer passphrase or to include binary data, upload a keyfile instead.

Prior to this release (6.8.2) we did not enforce this restriction, but now we are.  Unfortunately this means for those who have previously used a passphrase including other characters, you will need to use the "keyfile" method.  We will add a feature in a future release that will let you change your passphrase/keyfile.

 

Version 6.8.2 2020-01-26 Changes vs. 6.8.1

Base distro:

  • fuse3: version 3.9.0
  • php: version 7.3.14 (CVE-2020-7060, CVE-2020-7059)
  • rpcbind: version 1.2.5 (rebuilt with --enable-rmtcalls option)
  • ttyd: version 20200120
  • wireguard-tools: version 1.0.20200121

Linux kernel:

  • version 4.19.98 (CVE-2019-14615)
  • CONFIG_ENIC: Cisco VIC Ethernet NIC Support
  • removed: CONFIG_IGB: Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support
  • removed: CONFIG_IGBVF: Intel(R) 82576 Virtual Function Ethernet support
  • kernel-firmware: version 20200122_1eb2408
  • oot: Intel igb: version 5.3.5.42
  • oot: wireguard: version 0.0.20200121

Management:

  • rc.docker: include missing changes to suppoort new setting "Host access to custom networks"
  • rc.nginx: support custom wildcard SSL certs
  • webgui: User password: hide base64 conversion
  • webgui: Select username field when login page is loaded
  • webgui: login: autocapitalize="none"
  • webgui: Passphrase printable charcaters only
  • webgui: Encryption: enforced keyfile selection/deletion when file exists
  • webgui: Use php json_encode to properly encode notifications
  • webgui: Changed Delete keyfile button placement
  • webgui: Detect missing key when keyfile is deleted
  • webgui: Add Network:VPN as an application category
  • webgui: further hardening in auth_request.php
  • webgui: Style adjustment: buttons min-width
  • webgui: login page favicon now matches the green/yellow/red icon from the other webgui pages
  • webgui: VM Manager: add 'virtio-win-0.1.173-2' to VirtIO-ISOs list
  • webgui: Add Network:VPN as an application category
  • webgui: Network settings: updated help text
  • webgui: Fix link for Password Recovery on login screen

 

Version 6.8.1 2020-01-10 Changes vs. 6.8.0

Base distro:

  • libuv: version 1.34.0
  • libvirt: version 5.10.0
  • mozilla-firefox: version 72.0.1 (CVE-2019-17026, CVE-2019-17015, CVE-2019-17016, CVE-2019-17017, CVE-2019-17018, CVE-2019-17019, CVE-2019-17020, CVE-2019-17021, CVE-2019-17022, CVE-2019-17023, CVE-2019-17024, CVE-2019-17025)
  • php: version 7.3.13 (CVE-2019-11044 CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050)
  • qemu: version 4.2.0
  • samba: version 4.11.4
  • ttyd: version 20200102
  • wireguard-tools: version 1.0.20200102

Linux kernel:

  • version 4.19.94
  • kernel_firmware: version 20191218_c4586ff (with additional Intel BT firmware)
  • CONFIG_THUNDERBOLT: Thunderbolt support
  • CONFIG_INTEL_WMI_THUNDERBOLT: Intel WMI thunderbolt force power driver
  • CONFIG_THUNDERBOLT_NET: Networking over Thunderbolt cable
  • oot: Highpoint rr3740a: version v1.19.0_19_04_04
  • oot: Highpoint r750: version v1.2.11-18_06_26 [restored]
  • oot: wireguard: version 0.0.20200105

Management:

  • add cache-busting params for noVNC url assets
  • emhttpd: fix cryptsetup passphrase input
  • network: disable IPv6 for an interface when its settings is "IPv4 only".
  • webgui: Management page: fixed typos in help text
  • webgui: VM settings: fixed Apply button sometimes not working
  • webgui: Dashboard: display CPU load full width when no HT
  • webgui: Docker: show 'up-to-date' when status is unknown
  • webgui: Fixed: handle race condition when updating share access rights in Edit User
  • webgui: Docker: allow to set container port for custom bridge networks
  • webgui: Better support for custom themes (not perfect yet)
  • webgui: Dashboard: adjusted table positioning
  • webgui: Add user name and user description verification
  • webgui: Edit User: fix share access assignments
  • webgui: Management page: remove UPnP conditional setting
  • webgui: Escape shell arg when logging csrf mismatch
  • webgui: Terminal button: give unsupported warning when Edge/MSIE is used
  • webgui: Patched vulnerability in auth_request
  • webgui: Docker: added new setting "Host access to custom networks"
  • webgui: Patched vulnerability in template.php

 

  • Like 6
  • Thanks 4
Link to comment
  • Replies 109
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

limetech
limetech

Due to a security vulnerability discovered in forms-based authentication:   ALL USERS ARE STRONGLY ENCOURAGED TO UPGRADE   To upgrade: If you are running any 6.4 or later r

SpencerJ
SpencerJ

FYI: We've released a security tips and best practices blog alongside this release. TIA for reading!

wirenut
wirenut

remotely connected using wireguard, from my phone upgraded 6.8.1 to 6.8.2 without error. thank you unraid team!

Posted Images

bastl Collaborator

bastl

Posted
Posted

Update from 6.8.1 went fine so far. What I've noticed a remote SMB share on a Synology NAS mounted by Unassigned Devices stopped working. 

Jan 27 09:54:27 UNRAID kernel: CIFS VFS: Send error in SessSetup = -13
Jan 27 09:54:27 UNRAID kernel: CIFS VFS: cifs_mount failed w/return code = -13
Jan 27 09:54:27 UNRAID unassigned.devices: Mount of '//DSM/UNRAID' failed. Error message: 'mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) '.

Nothing changed. I removed a readded the mount and it worked again.

 

Another thing I noticed, the following warnings showing up a couple times for both Intel nics. Not sure what an impact this has. Looks like network is working. The warnings showing up a couple times and the "Intel(R) Gigabit Ethernet Linux Driver" is loaded after the warning. 

Jan 27 09:53:34 UNRAID kernel: igb 0000:04:00.0 eth0: mixed HW and IP checksum settings.
Jan 27 09:53:34 UNRAID kernel: igb 0000:06:00.0 eth2: mixed HW and IP checksum settings.
IOMMU group 22:	[1d6a:d107] 03:00.0 Ethernet controller: Aquantia Corp. AQC107 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] (rev 02)
IOMMU group 23:	[8086:1539] 04:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network Connection (rev 03)
IOMMU group 24:	[8086:24fb] 05:00.0 Network controller: Intel Corporation Dual Band Wireless-AC 3168NGW [Stone Peak] (rev 10)
IOMMU group 25:	[8086:1539] 06:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network Connection (rev 03)

 

And another thing showed up in the logs I never saw before: 

Jan 27 10:05:40 UNRAID inotifywait[7784]: Failed to watch /mnt/disk2; upper limit on inotify watches reached!
Jan 27 10:05:40 UNRAID inotifywait[7784]: Please increase the amount of inotify watches allowed per user via `/proc/sys/fs/inotify/max_user_watches'.

Disk 2 is half filled up and the same type like the other 2 in the array (3tb WDC WDC_WD30EFRX). No real activity currently on the array.

 

 

unraid-diagnostics-20200127-1033.zip

Link to comment
hpka Rookie

hpka

Posted
Posted

6.8.1 to 6.8.2 went just fine for me.

All previous versions since 6.7 have also been fine (and I've only said 6.7 because that's the first version number I can remember after buying a licence, likely some of the later 6.6 ones were also used). Point is I've never had an issue.

  • Thanks 1
Link to comment
ramblinreck47 Explorer

ramblinreck47

Posted
Posted

Went from 6.8.1 to 6.8.2 with relatively little trouble*. As far as I can tell, all is fine.

 

*Only issue was when I started my array and my docker containers had messed up IP's (just ridiculous numbers). A Power Down and then physical restart fixed it though. I've had this issue in the past with upgrades and luckily I now know not to freak out and just manually reset the server. I'm guessing it has something to do with either the server or my router not picking an IP address in time when it Reboots and just assigning one that doesn't exist.

Link to comment
  • limetech unfeatured and unpinned this topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing