Why aren't unraid receiving security updates regularly?


unRate

Recommended Posts

As far as I know Limetech update any packages when they make new Unraid releases as long as they are compatible with the underlying Linux kernel version shipping with that Unraid release.  What you will not see is security fixes applied retroactively on top of an existing Unraid release.   If there are some that you specifically think need updating it might be worth mentioning them.

Link to comment
On 12/9/2020 at 2:52 PM, unRate said:

Unraid is shipping vulnerable packages, some fixed over a year ago. Where's the security updates?

Can you be more specific? What vulnerabilities are you referring to?

 

Vulnerabilities are ranked differently based on the complexity, feasibility of the execution and impact on Confidentiality, Integrity and Availability (aka CIA) . And you measure your own risks, @limetech addresses appropriates risks in a timely fashion as we've seen in the past. I'd like to get more context around this, what are you eluding to and what risks do you need mitigated.

Edited by ezhik
  • Like 2
Link to comment

Whilst it is not ideal that the poster did not follow normal security reporting etiquette it is clear there is an issue and it is off our own making.

 

See

 

versus

 

http://www.slackware.com/security/list.php?l=slackware-security&y=2020

 

tl;dr we are long overdue an update but we have slipped into the old habit of waiting for the development branch to be ready and ignoring the stable branch.

 

It is not the end of the world but its a habit we need to break again ASAP

  • Like 3
Link to comment
  • 2 weeks later...
On 12/16/2020 at 4:22 PM, NAS said:

Whilst it is not ideal that the poster did not follow normal security reporting etiquette it is clear there is an issue and it is off our own making.

To be honest I find it kind of insulting, that you insinuate than I'm in the wrong. Had I been reporting an unknown exploit like this in the open I would have understood your response. But the CVEs I'm talking about are by their nature public knowledge... And some has been for over a year!

 

Now we can agree that it certainly doesn't look good that I have to remind you of security updates... But that is entirely different from leaking exploits in a public forum, and could have been avoided by staying on top of very basic security.

 

Your link to your Release methodology and excuses of bad habits doesn't help secure your customers unraid boxes. I'm disappointed in Limetech's mentally towards security in general. With this incident on top of the nonchalant attitude and implementation of security, it's definitely time to find another solution for my server.

 

Edited by unRate
Link to comment
55 minutes ago, unRate said:

To be honest I find it kind of insulting, that you insinuate than I'm in the wrong. Had I been reporting an unknown exploit like this in the open I would have understood your response. But the CVEs I'm talking about are by their nature public knowledge... And some has been for over a year!

Knowing @NAS pretty sure not trying to be insulting.  He has taken us to task lots of times over security.  The latest 6.9 release series is updated regularly, and a known ssl update is stage for next 6.9 release.  Yes it's marked "rc" but this is because we're still working on documentation and a few bugs, but is safe to use.  We will be changing our release methodology once 6.9 so-called 'stable' is published.

 

  • Like 1
Link to comment
1 hour ago, unRate said:

Your link to your Release methodology

Just so there isn't some confusion about who is who. @NAS is not an employee and neither am I. Moderators are just fellow Unraid users like yourself. Perhaps your whole response to NAS is based on an incorrect assumption. The way I read his post he was agreeing with you, not insulting you.

  • Like 3
Link to comment

I was indeed agreeing.

 

Just for clarity the normal security reporting methodology is to start with private contact. Normally this is for unpublished vulnerabilities but it holds equally true for published ones where the vendor may just not have noticed or has noticed and something has went wrong and they wrongly assume fixes are in place. It is VERY common for vendors to patch, release but not pen test the actual release after.

 

After a reasonable period of time if unresolved you can and should then post publicly so that users who are vulnerable have the maximum chance to hear about it and make and informed decision on what the risk is to them and how to handle it.

 

I dont think it would be unfair to say no one in the history of this project has prodded more about security then me.

 

I am not and never have been an employee of Limetech LLC and have never received any monetary of gift rewards other than a single license for testing.

  • Like 1
Link to comment
  • 2 weeks later...

Over the years I've seen countless security suggestions/items brought up by @NAS and honestly half the time I don't even understand what he is talking about.  I'd easily say he's a the biggest champion for security around here. Not that we all aren't, but he's always all over it and the discussions he has brought forward have been pretty lengthy in his findings. 

 

Honestly if any member sees a problem with Security on the system I'd highly recommend reaching out to a Admin/Moderator immediately so we can push it up and have it reviewed/addressed. If you feel your not being heard then hit up the forum with the issue like you did. We want your data safe as well as our own. 

 

Link to comment
  • 1 year later...

Hi, new user here. I'm still in the evaluation stage, but really like this product. However, i came across this discussion after trying to figure out why the latest release is from last April, and am slowly realizing there's no obvious (to me) security patching happening.

 

Is it actually true that the evaluation version i'm running hasn't been patched in almost a year? I asked my friend who got me onto UnRaid and he's not sure either.

Link to comment

The latest release is 6.10-rc2 which was released on November 1.  RC3 is just around the corner with a stable to shortly follow

 

Unraid does received regular security updates as the versions are released, but only in the case of very severe issues would a patch release be issued for a previously released version.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.