Correct/expected procedure for keeping FreeNAS up-to-date?

[seanm]

I've been experimenting with FreeNAS and am pretty happy. I'm using 11.2rc2, which is of course close to bleeding edge. I just discovered the FreeBSD "pkg audit -F" command and was surprised/disappointed to see so many packages are out of date and vulnerable to known security issues. ex:

Code:

samba47-4.7.6_12 is vulnerable:
samba -- multiple vulnerabilities
CVE: CVE-2018-10919
CVE: CVE-2018-10918
CVE: CVE-2018-10858
CVE: CVE-2018-1140
CVE: CVE-2018-1139
WWW: https://vuxml.FreeBSD.org/freebsd/c4e9a427-9fc2-11e8-802a-000c29a1e3ec.html

Is an admin of a FreeNAS system expected/recommended to update these things between FreeNAS updates? Will doing so break future FreeNAS updates?

 

[danb35]

Is an admin of a FreeNAS system expected/recommended to update these things between FreeNAS updates?

No, and there's no mechanism to do so.

Will doing so break future FreeNAS updates?

Probably.

 

[seanm]

Oh. :(

Is the output of 'pkg audit -F' even correct then?

Are you saying the release candidate of the _upcoming_ version of a software principally designed to share files has a months-old version of samba with known security vulnerabilities?

 

[danb35]

Are you saying the release candidate of the _upcoming_ version of a software principally designed to share files has a months-old version of samba with known security vulnerabilities?

I'm not making any statement either way on that, as I just don't know. But there's no way to do package-level updates on FreeNAS. It's an appliance. Might be worth filing a bug against the RC though.

 

[dlavigne]

Simply update as new versions become available as they'll contain the security fixes. For example, the upcoming RELEASE fixes both the Samba CVEs and the FreeBSD SAs: https://redmine.ixsystems.com/projects/freenas/issues?fixed_version_id=747&set_filter=1&status_id=* .

 

[seanm]

Thanks dlavigne. Is the output of 'pkg audit -F' correct though? Is it something one can rely on?

 

[dlavigne]

it is a good check for new FreeBSD SAs (security vulnerabilities) and to be aware of any installed software with known vulnerabilities (eg in jails). That way you can determine if you want to limit your exposure until the next update is available (eg, not run a particular jail/plugin or tighten up access to a particular share, etc. depending upon the nature of the vulnerability).

 

[seanm]

OK. So they are not false positives due to FreeNAS being an "appliance". And were I using the nightlies I would see little/nothing?

 

[dlavigne]

What is your end goal? Running nightlies is not a secure practice. Being aware of vulnerabilities and how they affect you is, but doing that effort depends upon your risk and requirements.

 

[seanm]

I'm evaluating buying a FreeNAS and trying to get a feel for how often/quickly security updates are available, and how 'on the ball' the FreeNAS developers are in this regard. Synology for example have this nice page:

https://www.synology.com/en-global/support/security

for which I see nothing analogous for FreeNAS (of course I may have missed it).

When I saw so many things output by 'pkg audit -F' on 11.2rc2 (which is fairly bleeding edge) I became a bit discouraged.

(I agree running nightlies for production is not a good idea, but I would presume that getting security updates into nightlies is a priority for the developers, in order to get testing asap and release asap.)

 

[dlavigne]

For FreeNAS (and TrueNAS), the Roadmap details the dates of upcoming releases. Click a version's link to see the details fo the tickets going into that version.

We take security seriously and are on top of FreeBSD SAs as well as CVEs for the major components (eg CVEs) and take the timing and impact of those into consideration when setting the dates for the next version. You can also see examples in our Release Notes: https://www.ixsystems.com/blog/knowledgebase_category/freenas-release-notes/ and https://www.ixsystems.com/blog/knowledgebase_category/truenas-release-notes/. I hope this helps with your decision

 

[seanm]

Thanks, that sounds good!

 

[seanm]

So I've just updated to 11.2 GM. pkg audit -F still reports 13 issues, ex:

- OpenSSL is at version 1.0.2o, released 2018-03-27.
- cURL is at version 7.59.0, released 2018-03-14.

Both have had several releases since then. As a software developer myself, I understand the balance between updating dependencies too quickly vs too slowly. OpenSSL for example has a 1.1 series now; FreeNAS has apparently chosen the more stable 1.0.2 branch, which is fine, but there has since been 1.0.2p (2018-08-14) and 1.0.2q (2018-11-20), both with security fixes, though admittedly low risk. The former is nearly 4 months old.

Looks like 1.0.2q was committed here: https://redmine.ixsystems.com/proje...ions/9424b8c43e2d3d7b45201e34799fd5c5193f7f68

but I don't see any ticket on the 11.2-U1 roadmap for OpenSSL...