unRate Posted December 9, 2020 Share Posted December 9, 2020 (edited) Unraid is shipping vulnerable packages, some fixed over a year ago. Where's the security updates? Edited December 9, 2020 by unRate spelling 1 Quote Link to comment
itimpi Posted December 9, 2020 Share Posted December 9, 2020 As far as I know Limetech update any packages when they make new Unraid releases as long as they are compatible with the underlying Linux kernel version shipping with that Unraid release. What you will not see is security fixes applied retroactively on top of an existing Unraid release. If there are some that you specifically think need updating it might be worth mentioning them. Quote Link to comment
NAS Posted December 14, 2020 Share Posted December 14, 2020 @unRate can you post a few representative examples to set context. Nothing should be `fixed over a year ago` but 280-290 days is unfortunately possible. 1 Quote Link to comment
Zorlofe Posted December 14, 2020 Share Posted December 14, 2020 Honestly, that is a little concerning.. 1 Quote Link to comment
ezhik Posted December 15, 2020 Share Posted December 15, 2020 (edited) On 12/9/2020 at 2:52 PM, unRate said: Unraid is shipping vulnerable packages, some fixed over a year ago. Where's the security updates? Can you be more specific? What vulnerabilities are you referring to? Vulnerabilities are ranked differently based on the complexity, feasibility of the execution and impact on Confidentiality, Integrity and Availability (aka CIA) . And you measure your own risks, @limetech addresses appropriates risks in a timely fashion as we've seen in the past. I'd like to get more context around this, what are you eluding to and what risks do you need mitigated. Edited February 24, 2022 by ezhik 2 Quote Link to comment
NAS Posted December 16, 2020 Share Posted December 16, 2020 Whilst it is not ideal that the poster did not follow normal security reporting etiquette it is clear there is an issue and it is off our own making. See versus http://www.slackware.com/security/list.php?l=slackware-security&y=2020 tl;dr we are long overdue an update but we have slipped into the old habit of waiting for the development branch to be ready and ignoring the stable branch. It is not the end of the world but its a habit we need to break again ASAP 3 Quote Link to comment
unRate Posted December 28, 2020 Author Share Posted December 28, 2020 (edited) On 12/16/2020 at 4:22 PM, NAS said: Whilst it is not ideal that the poster did not follow normal security reporting etiquette it is clear there is an issue and it is off our own making. To be honest I find it kind of insulting, that you insinuate than I'm in the wrong. Had I been reporting an unknown exploit like this in the open I would have understood your response. But the CVEs I'm talking about are by their nature public knowledge... And some has been for over a year! Now we can agree that it certainly doesn't look good that I have to remind you of security updates... But that is entirely different from leaking exploits in a public forum, and could have been avoided by staying on top of very basic security. Your link to your Release methodology and excuses of bad habits doesn't help secure your customers unraid boxes. I'm disappointed in Limetech's mentally towards security in general. With this incident on top of the nonchalant attitude and implementation of security, it's definitely time to find another solution for my server. Edited December 28, 2020 by unRate Quote Link to comment
limetech Posted December 28, 2020 Share Posted December 28, 2020 55 minutes ago, unRate said: To be honest I find it kind of insulting, that you insinuate than I'm in the wrong. Had I been reporting an unknown exploit like this in the open I would have understood your response. But the CVEs I'm talking about are by their nature public knowledge... And some has been for over a year! Knowing @NAS pretty sure not trying to be insulting. He has taken us to task lots of times over security. The latest 6.9 release series is updated regularly, and a known ssl update is stage for next 6.9 release. Yes it's marked "rc" but this is because we're still working on documentation and a few bugs, but is safe to use. We will be changing our release methodology once 6.9 so-called 'stable' is published. 1 Quote Link to comment
trurl Posted December 28, 2020 Share Posted December 28, 2020 1 hour ago, unRate said: Your link to your Release methodology Just so there isn't some confusion about who is who. @NAS is not an employee and neither am I. Moderators are just fellow Unraid users like yourself. Perhaps your whole response to NAS is based on an incorrect assumption. The way I read his post he was agreeing with you, not insulting you. 3 Quote Link to comment
NAS Posted December 30, 2020 Share Posted December 30, 2020 I was indeed agreeing. Just for clarity the normal security reporting methodology is to start with private contact. Normally this is for unpublished vulnerabilities but it holds equally true for published ones where the vendor may just not have noticed or has noticed and something has went wrong and they wrongly assume fixes are in place. It is VERY common for vendors to patch, release but not pen test the actual release after. After a reasonable period of time if unresolved you can and should then post publicly so that users who are vulnerable have the maximum chance to hear about it and make and informed decision on what the risk is to them and how to handle it. I dont think it would be unfair to say no one in the history of this project has prodded more about security then me. I am not and never have been an employee of Limetech LLC and have never received any monetary of gift rewards other than a single license for testing. 1 Quote Link to comment
kizer Posted January 12, 2021 Share Posted January 12, 2021 Over the years I've seen countless security suggestions/items brought up by @NAS and honestly half the time I don't even understand what he is talking about. I'd easily say he's a the biggest champion for security around here. Not that we all aren't, but he's always all over it and the discussions he has brought forward have been pretty lengthy in his findings. Honestly if any member sees a problem with Security on the system I'd highly recommend reaching out to a Admin/Moderator immediately so we can push it up and have it reviewed/addressed. If you feel your not being heard then hit up the forum with the issue like you did. We want your data safe as well as our own. Quote Link to comment
tryptophanatic_turkey Posted March 6, 2022 Share Posted March 6, 2022 Hi, new user here. I'm still in the evaluation stage, but really like this product. However, i came across this discussion after trying to figure out why the latest release is from last April, and am slowly realizing there's no obvious (to me) security patching happening. Is it actually true that the evaluation version i'm running hasn't been patched in almost a year? I asked my friend who got me onto UnRaid and he's not sure either. Quote Link to comment
Squid Posted March 6, 2022 Share Posted March 6, 2022 The latest release is 6.10-rc2 which was released on November 1. RC3 is just around the corner with a stable to shortly follow Unraid does received regular security updates as the versions are released, but only in the case of very severe issues would a patch release be issued for a previously released version. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.