My Cloud Security

d_fens · May 17, 2016, 9:59am

Hi,

WD should update some of the packages here (OpenSSL, Samba, sqlite…)

||/ Name Version Architecture Description
++±===========================================-=========================-============-========================================================================

ii afp 03.01.07-ac5ffd5 ii alerts 02.00.00-5972515 ii apache-php-webdav 02.00.01-dfafb9b ii apache2 2.4.10-10+deb8u3 ii apache2-bin 2.4.10-10+deb8u3 ii apache2-data 2.4.10-10+deb8u3 ii apache2-mpm-prefork 2.4.10-10+deb8u3 ii apache2-utils 2.4.10-10+deb8u3 ii openssh-client 1:6.0p1-4 ii openssh-server 1:6.0p1-4 ii openssl 1.0.1m-1 ii openvpn 2.2.1-8+deb7u2 ii paragon-ufsd 08.05.01-bebc03c ii parted 2.3-12 ii passwd 1:4.1.5.1-1 ii perl 5.14.2-21 ii perl-base 5.14.2-21 ii perl-modules 5.14.2-21 ii php-apc 4.0.4-1 ii php5-apcu 4.0.7-1 ii php5-cli 5.6.7+dfsg-1 ii php5-common 5.6.7+dfsg-1 ii php5-curl 5.6.7+dfsg-1 ii php5-json 1.3.6-1 ii php5-sqlite 5.6.7+dfsg-1 ii procps 1:3.3.3-3 ii psmisc 22.20-1 ii python 2.7.3-4+deb7u1 ii python-minimal 2.7.3-4+deb7u1 ii python2.7 2.7.3-6 ii python2.7-minimal 2.7.3-6 ii samba-common 2:3.6.6-6+deb7u1 ii samba-common-bin 2:3.6.6-6+deb7u1 ii sed 4.2.1-10 ii sensible-utils 0.0.7 ii sg3-utils 1.33-1 ii smartmontools 5.41+svn3365-1 ii smb-file 01.00.00-a53eca3 ii smbclient 2:3.6.6-6+deb7u1 ii sq 04.04.02-105 ii sqlite3 3.8.0.2-1 ii strace 4.5.20-2.3 ii strings 01.00.00-8ada46d ii sudo 1.8.5p2-1+nmu1 ii sysstat 10.0.5-1 ii sysv-rc 2.88dsf-41 ii sysvinit 2.88dsf-41 ii sysvinit-utils 2.88dsf-41 ii tar 1.26+dfsg-0.1 armhf Afp service configuration - netatalk
all WD alert definition and scripts
all Apache, php, webdav, with WD configuration
armhf Apache HTTP Server
armhf Apache HTTP Server (modules and other binary files)
all Apache HTTP Server (common files)
armhf transitional prefork MPM package for apache2
armhf Apache HTTP Server (utility programs for web servers)
armhf secure shell (SSH) client, for secure access to remote machines
armhf secure shell (SSH) server, for secure access from remote machines
armhf Secure Sockets Layer toolkit - cryptographic utility
armhf virtual private network daemon
armhf Paragon ufsd (NTFS/HFS+/J file system driver)
armhf disk partition manipulator
armhf change and administer password and group data
armhf Larry Wall’s Practical Extraction and Report Language
armhf minimal Perl system
all Core Perl modules
all APC User Cache for PHP 5 (transitional package)
armhf APC User Cache for PHP 5
armhf command-line interpreter for the php5 scripting language
armhf Common files for packages built from the php5 source
armhf CURL module for php5
armhf JSON module for php5
armhf SQLite module for php5
armhf /proc file system utilities
armhf utilities that use the proc file system
all interactive high-level object-oriented language (default version)
all minimal subset of the Python language (default version)
armhf Interactive high-level object-oriented language (version 2.7)
armhf Minimal subset of the Python language (version 2.7)
all common files used by both the Samba server and client
armhf common files used by both the Samba server and client
armhf The GNU sed stream editor
all Utilities for sensible alternative selection
armhf utilities for devices using the SCSI command set
armhf control and monitor storage systems using S.M.A.R.T.
armhf SMB implementation. currently using Samba
armhf command-line SMB/CIFS clients for Unix
armhf Sequoia project package
armhf Command line interface for SQLite 3
armhf A system call tracer
all localization strings
armhf Provide limited super user privileges to specific users
armhf system performance tools for Linux
all System-V-like runlevel change mechanism
armhf System-V-like init utilities
armhf System-V-like utilities
armhf GNU version of the tar archiving utility

thank you!

Bennor · May 17, 2016, 11:04am

Have you contacted WD directly? This forum is primarily a user to user support forum. Per this thread, WD has stated the following; “We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com”.

d_fens · May 17, 2016, 11:49am

Hi Bennor,

I did this in the past. After >20 e-mails, I was offered a refund. But I wanted an update.
maybe you could you please pass this to the correct department? I am sure this would be faster.

Bennor · May 17, 2016, 12:04pm

I cannot “pass” anything along as I and most others here do not work for WD. As explained this is primarily a user to user support forum and most, including myself, are mere customers who came here for one reason or another and have stayed to help others with their issues and learn more about the My Cloud.

Shabuboy · May 17, 2016, 4:15pm

Any User Forum is just end-user to end-user assistance, for any vendor.
We are all just regular users trying to help other users.

If you actually want WD support, contact them directly.

Bill_S · May 18, 2016, 5:57pm

Hey Guys,

The moderators saw and passed this along. They are looking into it. @d-fens, have they contacted you yet?

cpt_paranoia · May 18, 2016, 7:01pm

I think d-fens’ request is pretty clear from the OP: update to the latest packages at the next firmware release. I’m sure your security guys are constantly tracking security updates to Debian… <snorts in derision…>

Bill_S · May 18, 2016, 9:11pm

d_fens · May 19, 2016, 12:09am

they already contacted me, and I send them three very well documented vulnerabilities as an example.
I hope there will be a new firmware soon, maybe with a public share that can be disabled this one is a real classic for some years now

Bill_S · May 19, 2016, 4:13pm

Thank you for bringing it to our attention. We do take any security vulnerability seriously. Just keep in mind that it does take time to go through the process.

d_fens · July 18, 2016, 9:43am

2 months have passed, and still no update.
to be honest, it’s useless to share details with support - they don’t do anything as long as everything works. the target audience for these devices thinks their files are more secure on their my cloud in comparison to, let’s say, dropbox connected to misconfigured SoHo-routers…
but right there are more hardware releases than software releases
this saddens me, the hardware is great and I like the design of the mobile apps, but without a firmware that is up-to-date…

brannonb · February 26, 2019, 8:16am

Guessing your oday didnt pan out?

d_fens · February 26, 2019, 8:34am

WD updated many packages, that’s the minimum I wanted:

the linux kernel, Apache, PHP, OpenSSL, OpenSSH, libupnp, jQuery, Samba

Some of these update fixed 0 days

brannonb · February 26, 2019, 4:38pm

Friend I got ptrace from 2.35.* still isnt patched… please remove Linux Kernel from your patched files? Just kidding… Team Teso!!! 4 Life

My Cloud Security

||/ Name Version Architecture Description ++±===========================================-=========================-============-========================================================================

||/ Name Version Architecture Description
++±===========================================-=========================-============-========================================================================