Firmware-update: QNAP TS-xx0/xx2/xx9 4.2.4 build 20170313

QNAP heeft versie 4.2.4 uitgebracht van de firmware die op diverse modellen van zijn nas-apparaten staat en inmiddels is ook de eerste update met enkele bugfixes beschikbaar. Sinds versie 4.2 is onder meer de interface opgefrist en de beveiliging verbeterd. Zo kan er nu een tweetrapsinlogprocedure worden ingesteld, via een met een app gegenereerde inlogcode. Verder kunnen nu naar verschillende apparaten tegelijk media worden gestreamd en zijn diverse verbeteringen aangebracht met betrekking tot virtualisatie en Storage Management. De complete changelog is op deze pagina te vinden. In deze uitgave zijn de volgende problemen verholpen:

Bug fixes

• Fixed an issue where an error message would appear when the Docker Certificate expired due to users manually setting the time forward.
• Fixed an issue where RTRR FTP backup jobs would not accept passwords that contained more than 16 characters.
• Fixed an issue where users could not upload files larger than 4 GB in File Station when using Internet Explorer 11.
• Fixed an issue where bluetooth devices would disappear from the device list after Container Station was installed and enabled.
• Fixed an issue where users could not connect a Mac to the NAS when using L2TP/IPsec VPN service.
• Fixed an issue where the System Logs would incorrectly display VPN connections as PPTP when PPTP was enabled.
• Fixed an issue where unexpected errors would occur when key combinations were used consecutively in HybridDesk Station.
• Fixed an issue where users could not use Affinity Photo to edit the photos in NAS shared folders mounted on OS X via AFP.
• Fixed an issue where the system would not automatically check for available firmware updates when users logged in after setting the date format as DD/MM/YYYY.
• Fixed a configuration file vulnerability that could be exploited to compromise the security of sensitive data. (CVE-2017-5227)
• Fixed a stack overflow vulnerability that could be exploited to gain control of the EIP register.
• Fixed a SQL injection vulnerability that could be exploited to execute arbitrary SQL commands
• Fixed a command injection vulnerability in transcoding that could be exploited to execute unauthorized commands.
• Fixed a heap overflow vulnerability.
• Fixed a cross-site scripting vulnerability that could be exploited to inject arbitrary JavaScript commands.
• Fixed 2 stack overflow vulnerabilities that could be exploited to cause segmentation faults and gain control of the EIP register.
• Fixed a command injection vulnerability that could be exploited to execute unauthorized commands. (CVE-2017-6361)
• Fixed a command injection vulnerability that could be exploited to gain administrator privileges and unrestricted access to sensitive data. (CVE-2017-6360)
• Fixed a command injection vulnerability that could be exploited to gain the administrator privileges and execute unauthorized commands. (CVE-2017-6359)
• Fixed an access control vulnerability that would incorrectly restrict authorized user access to resources.
• Fixed 2 stack overflow vulnerabilities.