Hallo QNAP Freunde,
mit der Firmware QTS 4.2.1 build 20160601 behebt QNAP diverse Sicherheitslücken für alle QNAP NAS. Anbei alle Details zu den einzelnen Sicherheitslücken.
Das Update steht über die Admin Seite eures NAS unter Systemeinstellungen > Firmware Aktualisierung zur Verfügung !
Grüße
Christian
PS: Text angepasst, danke @Doc HT für den Hinsweis!
ZitatAlles anzeigenSecurity vulnerabilities addressed in QTS 4.2.1 Build 20160601
Release date: June 17, 2016
Last updated: June 17, 2016
Bulletin ID: NAS-201606-17
Severity rating: Medium
Affected products:
- Every QNAP NAS with firmware prior to 4.2.1 Build 20160601
Summary
QTS
- Fixed multiple OpenSSL vulnerabilities (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176).
- Fixed multiple PHP vulnerabilities. (CVE-2016-4537, CVE-2016-4538, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-3074, CVE-2016-4540, CVE-2016-4541, CVE-2016-4539).
- Fixed a GNU C Library vulnerability (CVE-2015-7547).
- Only a limited number of NAS models are affected. We recommend that TS-x31 and TS-x31+ series users update their devices to the latest firmware version.
- Fixed a cross-site scripting (XSS) vulnerability (only firmware versions prior to QTS 4.2.0 are affected).
We would like to express our gratitude to Davide 'Peru' Peruzzi [GoSecure!] for discovering this issue.- Fixed a cross-site scripting (XSS) vulnerability (CVE-2015-5664) associated with File Station (only firmware versions prior to QTS 4.2.0 are affected).
We would like to express our gratitude to Keigo Yamazaki (LAC Co., Ltd.) for discovering this issue, and JPCERT/CC for their coordination effort.QTS App
- Fixed a Perl vulnerability.
- Fixed three vulnerabilities (CVE-2015-6022, CVE-2015-6036, CVE-2015-7261) for Signage Station and one vulnerability (CVE-2015-7262) for iArtist Lite.
The vulnerabilities are fixed in Signage Station v2.1.2.3 and iArtist Lite v1.4.167.0.
You can apply the fix for Signage Station by updating it in the App Center. For iArtist Lite, the fix can be downloaded fromhttp://download.qnap.com/Qsignage/iArtist_lite.zip
For compatibility reasons, updating Signage Station requires updating iArtist Lite (and vice versa).
We would like to express our gratitude to Mark Woods, a security consultant at Nettitude and long-time QNAP fan, for discovering these above issues.- Two critical vulnerabilities (CVE-2016-2324, CVE-2016-2315) have been discovered for Git and we have not received any fixes from the maintainer.
Due to security concerns, this app will be removed from the App Center until a fix is received. We also recommend that users uninstall it until a fix is released.Solution
To fix these security issues, log in to your NAS as an administrator, go to “Control Panel” > “Firmware Update”, and then choose to update your NAS with either a live or manual update. For instructions on how to update NAS firmware, see How to update your QNAP NAS’s firmware?
Kommentare 6
YellowFellow
Na da lohnt ein Update ja
Schön prominent und übersichtlich präsentiert, finde ich gut so.
christian Autor
Gerne!
eol1
Christian, bitte die Überschrift anpassen! Es muss heißen "behebt Sicherheitslücken für alle Versionen VOR Build 20160601 mit der Version Build 20160601"
eol1
Hi Christian, die Downlaods sind noch nirgendwo verfübar. Hast du einen Link?
EDIT: Downloads sind da, die Version 20160601 behebt die Sicherehitslücken aller QTS-Versionen davor.
christian Autor
Du verwirrst mich Build = b von Beta konnte ich nichts finden.
eol1
PN geschickt!