QNAP NAS Community Forum

[doktornotor]

Hello QNAP,

Hello, it has only been one year, not enough time to recompile with non-fscked openssl!

[schumaku]

Hello, it has only been one year, not enough time to recompile with non-fscked openssl!

What's a year in a human life?
Whats a year in the earth history?

[forkless]

Hello, it has only been one year, not enough time to recompile with non-fscked openssl!

What's a year in a human life?
Whats a year in the earth history?

It's definitely not long enough to fix a core Apache functionality. But boy, I am glad it now supports MORE flaky webcams nobody ever heard about...

[forkless]

*bump

[doktornotor]

You've gotta be kidding us, QNAP. The excerpt from the "latest and greatest" (now pulled) 3.7.0's phpinfo:

Code: Select all

SSL_VERSION_LIBRARY   OpenSSL/0.9.7a
openssl
OpenSSL support   enabled
OpenSSL Library Version   OpenSSL 0.9.7a Feb 19 2003
OpenSSL Header Version   OpenSSL 0.9.7a Feb 19 2003

And:

Code: Select all

# locate libssl
/lib/libssl.so
/lib/libssl.so.0
/lib/libssl.so.0.9.7

# file /lib/libssl.so.0.9.7
/lib/libssl.so.0.9.7: ELF 32-bit LSB shared object, ARM, version 1 (SYSV), dynamically linked, stripped


So, you actually downgraded the buggy multi-vulnerable ** even further?!?!

[River Trent]

Still waiting . . . . .

[grobylev]

being a software developer for some time now, I learned one thing:
Making mistakes is not a problem. Not fixing those problems are...

u'd better start to think on some alternative solution IMO... unless you'll find yourself waiting another one year wasting and waiting...

[forkless]

Grobylev,

Let me start with saying i'm not angry at you I just taking your observation to comment on the situation

While there are alternatives the problem lies in the fact that the current OpenSSL implementation is not a mistake, it's not even a matter of moral culpability anymore. It is downright criminal negligent. Do not forget that the bulk of the users/owners here do NOT have means of updating their QNAP like a regular OS.

While I myself could easily upgrade the OS to a modded Debian (or whatever flavour) OS. Having to revert to modding a QNAP however to use another OS is beyond reasonable. Not to mention that it implies forfeiting all your OEM OS support on the product itself.

QNAP should get of their lazy ***** and fix this issue for people who can't and want to maintain a secure and reliable platform instead of facilitating every ******* hacker and their smelly cousin.

Cheers,
Fork


ps. Do I sound angry? You bet! I am.

[grobylev]

I agree that the word 'mistake' is not the best here -- I should've use 'not so up to date' , or 'full with security bugs' instead, but I think you got what I mean.
What I've trying to say is that - according to my observations -, if a feature/security issue/whatever else is really important to you, you'd better resolve it by you own instead of waiting years/months to a manufacturer...

Yes, a lot of 'customers' may not know what openssl is (or even what's the difference between http/https)... just having their webpage up and running... without knowing that their stuff can be...
And I do not want to comment on that for a manufacturers the marketing is more important (like new Time Machince, etc... just because they want to update their 'feature list' to sell more products) than security.
So it looks to me that QNAP decided to be a SOHO NAS - to put your family photos on - , and not to be used in some super-secure-enterprise-bank-fbi environment.

Installing some custom OS in a QNAP device is not the only option, you can also sell it and buy Synology instead for example... much quicker/easier/...
It's your choice, just like their when they're deciding to add some another useless feature instead of maintaining the existing ones.

P.S.: I'm on your side.

[schumaku]

Look: Fact is the QNAP Linux in place is highly outdated - plenty of limitaitons and issues with the outdated Kernel and libraries. This does simply prohibit updating OpenSSL just for example. Ridiculous situation.

[doktornotor]

So it looks to me that QNAP decided to be a SOHO NAS - to put your family photos on - , and not to be used in some super-secure-enterprise-bank-fbi environment.

Not even SOHO is a good use for this. To the contrary, some "family photos" may be highly sensitive and you definitely do not want them leaked all over internet. And again - the previous version has been already seriously outdated, vulnerable and buggy and missing many features. However, there simply is absolutely no excuse for downgrading to 0.9.7a by mistake or whatnot. Why does anyone with sane mind have something like that installed and miscompiles bunch of firmwares against that junk as a result goes beyond me. Lame, seriously lame.

[ts-ec1279u-rp]

Hi Qnap (AlexKe),

How is the fix progressing? Is it planned for the coming firmware release or a later one? Any rough date available?

[doktornotor]

How is the fix progressing?

Backwards...

devolution-of-communication.jpg

[vinajb]

Did anyone find a non-firefox workaround for this? Can we manually upgrade openssl on the box? I still encounter these issues and would like to get rid of it.

[forkless]

The toolchain to compile sources is available on the QNAP (via Optware) so you can compile and install any binary or module you wish.

One can obviously argue whether your want to be part of the problem or the solution but the point is that these are core security updates that should be part of QNAP patch/security management cycles and not something the community has to pick up.

What irks me even more is that QNAP has the hubris to refuse to communicate about the issue. Which has been ongoing for years now, clearly QNAP management seems to think we rather have a slick as a babies bottom ajax driven admin interface than a secure and stable platform.