Jump to content
XPEnology Community

Heartbleed vulnerability


Mentat

Recommended Posts

Maybe we could ask the admins to create a sticky "News, Updates and Security" thread which members can subscribe to if they want to stay informed.

 

If posting in the thread is restricted to admin posts only it would keep things tidy and important info would be easier to keep tabs on.

Link to comment
Share on other sites

Since the earlier vulnerabilities were detected I am only opening a port for VPN to access Xpenology.

OpenVPN is more secure but of coarse more difficult to setup and for some devices (IOS) you may require a paid app.

 

Have you investigated whether this is a false positive?

Link to comment
Share on other sites

Since the earlier vulnerabilities were detected I am only opening a port for VPN to access Xpenology.

OpenVPN is more secure but of coarse more difficult to setup and for some devices (IOS) you may require a paid app.

 

Have you investigated whether this is a false positive?

 

Or a DSM installable version of something like NeoRouter Pro/Free for VPN. :idea:

Link to comment
Share on other sites

But we have the latest 4.3...

 

It this working?

 

#MAKE SURE YOU HAVE:
# Installed Bootstrap, which mounted the optware dir (i.e. "ln -s /volume1/@optware /opt ") 
#                      and in the /root/.profile file, appended PATH with ":/opt/bin:/opt/sbin"
# Installed required packages: "ipkg update & ipkg install gcc & ipkg install make"
#
#THEN PERFORM:
##################
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar zxvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config
touch /opt/lib/gcc/powerpc-linux-gnuspe/3.4.6/include/syslimits.h
make install

Link to comment
Share on other sites

I do not get it...

 

I read that:

OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable to this attack.

 

On my Synology, using ssh, I've run:

Synology2> openssl

OpenSSL> version

OpenSSL 0.9.8v 19 Apr 2012

 

It should not be vulnerable!

Link to comment
Share on other sites

Ok. I fond it

 

https://www.synology.com/en-global/rele ... /RS3413xs+

 

Compatibility and Installation

 

DSM 4.3-3827 Update 2 can only be installed on Synology products running DSM 4.3-3827 via DSM Update. Please log in to DSM, go to Control Panel > DSM Update, click Update Settings and select Important Updates Only to see and install the update.

 

Change Log

 

Fixed a critical security issue of OpenSSL (Heartbleed) to prevent secret keys from being compromised. (CVE-2014-0160)

Fixed an issue causing the homes shared folder to become inaccessible after being moved to another volume.

Fixed an issue allowing the basic information of Synology NAS devices to be obtained outside of the local network without authentication.

Fixed password recovery e-mail to include the correct port number even when launched in Application Portal with customized ports.

Link to comment
Share on other sites

I'm not aware of the situation for the version you're currently running.

 

If your system is accessible over the public network I think you should seriously consider updating as your system is vulnerable. You will need Trantor's latest Beta build 4.3-3827 after that you can use the updater to apply the latest minor patches. Alternatively you can go to DSM5x using the gnoboot method.

 

If your not exposed to outside threats and your happy with the way things are working for you then I guess there is no need to update. Having said that both options offer some improvements over the version you have now.

 

The updates aren't particularly troublesome obviously it's best to have a backup before you proceed.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...