Why aren't unraid receiving security updates regularly?


unRate

11 posts in this topic Last Reply

Recommended Posts

As far as I know Limetech update any packages when they make new Unraid releases as long as they are compatible with the underlying Linux kernel version shipping with that Unraid release.  What you will not see is security fixes applied retroactively on top of an existing Unraid release.   If there are some that you specifically think need updating it might be worth mentioning them.

Link to post
On 12/9/2020 at 2:52 PM, unRate said:

Unraid is shipping vulnerable packages, some fixed over a year ago. Where's the security updates?

Can you be more specific? What vulnerabilities are you referring to you referring to?

 

Vulnerabilities are ranked differently based on the complexity, feasibility of the execution and impact on Confidentiality, Integrity and Availability (aka CIA) . And you measure your own risks, @limetech addresses appropriates risks in a timely fashion as we've seen in the past. I'd like to get more context around this, what are you eluding to and what risks do you need mitigated.

Link to post

Whilst it is not ideal that the poster did not follow normal security reporting etiquette it is clear there is an issue and it is off our own making.

 

See

 

versus

 

http://www.slackware.com/security/list.php?l=slackware-security&y=2020

 

tl;dr we are long overdue an update but we have slipped into the old habit of waiting for the development branch to be ready and ignoring the stable branch.

 

It is not the end of the world but its a habit we need to break again ASAP

Link to post
  • 2 weeks later...
On 12/16/2020 at 4:22 PM, NAS said:

Whilst it is not ideal that the poster did not follow normal security reporting etiquette it is clear there is an issue and it is off our own making.

To be honest I find it kind of insulting, that you insinuate than I'm in the wrong. Had I been reporting an unknown exploit like this in the open I would have understood your response. But the CVEs I'm talking about are by their nature public knowledge... And some has been for over a year!

 

Now we can agree that it certainly doesn't look good that I have to remind you of security updates... But that is entirely different from leaking exploits in a public forum, and could have been avoided by staying on top of very basic security.

 

Your link to your Release methodology and excuses of bad habits doesn't help secure your customers unraid boxes. I'm disappointed in Limetech's mentally towards security in general. With this incident on top of the nonchalant attitude and implementation of security, it's definitely time to find another solution for my server.

 

Edited by unRate
Link to post
55 minutes ago, unRate said:

To be honest I find it kind of insulting, that you insinuate than I'm in the wrong. Had I been reporting an unknown exploit like this in the open I would have understood your response. But the CVEs I'm talking about are by their nature public knowledge... And some has been for over a year!

Knowing @NAS pretty sure not trying to be insulting.  He has taken us to task lots of times over security.  The latest 6.9 release series is updated regularly, and a known ssl update is stage for next 6.9 release.  Yes it's marked "rc" but this is because we're still working on documentation and a few bugs, but is safe to use.  We will be changing our release methodology once 6.9 so-called 'stable' is published.

 

Link to post
1 hour ago, unRate said:

Your link to your Release methodology

Just so there isn't some confusion about who is who. @NAS is not an employee and neither am I. Moderators are just fellow Unraid users like yourself. Perhaps your whole response to NAS is based on an incorrect assumption. The way I read his post he was agreeing with you, not insulting you.

Link to post

I was indeed agreeing.

 

Just for clarity the normal security reporting methodology is to start with private contact. Normally this is for unpublished vulnerabilities but it holds equally true for published ones where the vendor may just not have noticed or has noticed and something has went wrong and they wrongly assume fixes are in place. It is VERY common for vendors to patch, release but not pen test the actual release after.

 

After a reasonable period of time if unresolved you can and should then post publicly so that users who are vulnerable have the maximum chance to hear about it and make and informed decision on what the risk is to them and how to handle it.

 

I dont think it would be unfair to say no one in the history of this project has prodded more about security then me.

 

I am not and never have been an employee of Limetech LLC and have never received any monetary of gift rewards other than a single license for testing.

Link to post
  • 2 weeks later...

Over the years I've seen countless security suggestions/items brought up by @NAS and honestly half the time I don't even understand what he is talking about.  I'd easily say he's a the biggest champion for security around here. Not that we all aren't, but he's always all over it and the discussions he has brought forward have been pretty lengthy in his findings. 

 

Honestly if any member sees a problem with Security on the system I'd highly recommend reaching out to a Admin/Moderator immediately so we can push it up and have it reviewed/addressed. If you feel your not being heard then hit up the forum with the issue like you did. We want your data safe as well as our own. 

 

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.