Synology Product Security Advisory https://www.synology.cn/zh-cn/support/security Thu, 21 Nov 2024 19:06:18 +0800 Thu, 14 Nov 2024 16:28:21 +0800 Synology-SA-24:24 Synology Camera (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_24 Thu, 14 Nov 2024 16:28:21 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_24 Synology-SA-24:23 BeeStation (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_23 Tue, 05 Nov 2024 15:16:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_23 Synology-SA-24:22 Replication Service (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_22 Tue, 05 Nov 2024 15:16:05 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_22 Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_21 Tue, 05 Nov 2024 15:15:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_21 Synology-SA-24:20 DSM (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_20 Tue, 05 Nov 2024 15:15:05 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_20 Synology-SA-24:19 Synology Photos (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_19 Fri, 25 Oct 2024 13:55:04 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_19 Synology-SA-24:18 BeePhotos (PWN2OWN 2024) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_18 Fri, 25 Oct 2024 13:51:53 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_18 Synology-SA-24:17 Synology Camera https://www.synology.cn/zh-cn/support/security/Synology_SA_24_17 Fri, 18 Oct 2024 16:23:38 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_17 Synology-SA-24:16 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_24_16 Fri, 18 Oct 2024 13:43:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_16 Synology-SA-24:15 BeeStation https://www.synology.cn/zh-cn/support/security/Synology_SA_24_15 Thu, 17 Oct 2024 14:23:28 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_15 Synology-SA-24:14 Synology Photos https://www.synology.cn/zh-cn/support/security/Synology_SA_24_14 Wed, 16 Oct 2024 13:55:20 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_14 Synology-SA-24:13 BeePhotos https://www.synology.cn/zh-cn/support/security/Synology_SA_24_13 Wed, 16 Oct 2024 13:54:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_13 Synology-SA-24:12 GitLab https://www.synology.cn/zh-cn/support/security/Synology_SA_24_12 Wed, 09 Oct 2024 08:51:30 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_12 Synology-SA-24:11 Synology Active Backup for Business Agent https://www.synology.cn/zh-cn/support/security/Synology_SA_24_11 Thu, 26 Sep 2024 11:39:39 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_11 Synology-SA-24:10 Synology Drive Client https://www.synology.cn/zh-cn/support/security/Synology_SA_24_10 Thu, 26 Sep 2024 11:30:21 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_10 Synology-SA-24:09 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_24_09 Mon, 09 Sep 2024 11:51:10 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_09 Synology-SA-24:08 regreSSHion https://www.synology.cn/zh-cn/support/security/Synology_SA_24_08 Tue, 02 Jul 2024 14:25:22 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_08 Synology-SA-24:07 Synology Camera https://www.synology.cn/zh-cn/support/security/Synology_SA_24_07 Mon, 27 May 2024 16:41:30 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_07 Synology-SA-24:06 XZ Utils https://www.synology.cn/zh-cn/support/security/Synology_SA_24_06 Mon, 01 Apr 2024 12:02:16 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_06 Synology-SA-24:05 Synology Surveillance Station Client https://www.synology.cn/zh-cn/support/security/Synology_SA_24_05 Thu, 28 Mar 2024 14:43:22 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_05 Synology-SA-24:04 Surveillance Station https://www.synology.cn/zh-cn/support/security/Synology_SA_24_04 Thu, 28 Mar 2024 14:07:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_04 Synology-SA-24:03 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_24_03 Tue, 12 Mar 2024 14:15:45 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_03 Synology-SA-24:02 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_24_02 Wed, 24 Jan 2024 18:08:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_02 Synology-SA-24:01 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_24_01 Tue, 09 Jan 2024 12:01:13 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_24_01 Synology-SA-23:16 SRM (PWN2OWN 2023) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_16 Tue, 21 Nov 2023 10:19:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_16 Synology-SA-23:15 Synology Camera (PWN2OWN 2023) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_15 Mon, 20 Nov 2023 17:47:11 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_15 Synology-SA-23:14 HTTP/2 Rapid Reset Attack https://www.synology.cn/zh-cn/support/security/Synology_SA_23_14 Fri, 13 Oct 2023 14:13:17 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_14 Synology-SA-23:13 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_23_13 Thu, 21 Sep 2023 15:01:42 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_13 Synology-SA-23:12 Synology SSL VPN Client https://www.synology.cn/zh-cn/support/security/Synology_SA_23_12 Thu, 24 Aug 2023 17:57:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_12 Synology-SA-23:11 Synology Camera https://www.synology.cn/zh-cn/support/security/Synology_SA_23_11 Thu, 17 Aug 2023 19:07:37 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_11 Synology-SA-23:10 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_23_10 Thu, 27 Jul 2023 14:58:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_10 Synology-SA-23:09 Mail Station https://www.synology.cn/zh-cn/support/security/Synology_SA_23_09 Tue, 27 Jun 2023 17:43:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_09 Synology-SA-23:08 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_23_08 Tue, 13 Jun 2023 11:40:16 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_08 Synology-SA-23:07 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_23_07 Tue, 13 Jun 2023 11:39:42 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_07 Synology-SA-23:06 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_23_06 Tue, 13 Jun 2023 11:36:51 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_06 Synology-SA-23:05 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_23_05 Tue, 13 Jun 2023 11:36:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_05 Synology-SA-23:04 VPN Plus Server https://www.synology.cn/zh-cn/support/security/Synology_SA_23_04 Thu, 04 May 2023 15:09:58 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_04 Synology-SA-23:03 Netatalk https://www.synology.cn/zh-cn/support/security/Synology_SA_23_03 Thu, 30 Mar 2023 16:37:45 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_03 Synology-SA-23:02 Sudo https://www.synology.cn/zh-cn/support/security/Synology_SA_23_02 Thu, 30 Mar 2023 16:17:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_02 Synology-SA-23:01 ClamAV https://www.synology.cn/zh-cn/support/security/Synology_SA_23_01 Wed, 22 Feb 2023 15:13:35 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_23_01 Synology-SA-22:26 VPN Plus Server https://www.synology.cn/zh-cn/support/security/Synology_SA_22_26 Fri, 30 Dec 2022 18:25:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_26 Synology-SA-22:25 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_22_25 Thu, 22 Dec 2022 13:44:47 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_25 Synology-SA-22:24 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_22_24 Mon, 19 Dec 2022 17:45:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_24 Synology-SA-22:23 PWN2OWN TORONTO 2022 https://www.synology.cn/zh-cn/support/security/Synology_SA_22_23 Thu, 08 Dec 2022 16:57:24 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_23 Synology-SA-22:22 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_22_22 Thu, 17 Nov 2022 16:42:57 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_22 Synology-SA-22:21 OpenSSL https://www.synology.cn/zh-cn/support/security/Synology_SA_22_21 Wed, 02 Nov 2022 10:46:49 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_21 Synology-SA-22:20 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_22_20 Thu, 27 Oct 2022 13:44:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_20 Synology-SA-22:19 Presto File Server https://www.synology.cn/zh-cn/support/security/Synology_SA_22_19 Tue, 25 Oct 2022 10:56:25 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_19 Synology-SA-22:18 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_22_18 Tue, 25 Oct 2022 10:56:21 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_18 Synology-SA-22:17 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_22_17 Thu, 20 Oct 2022 13:53:15 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_17 Synology-SA-22:16 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_22_16 Tue, 27 Sep 2022 11:39:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_16 Synology-SA-22:15 GLPI https://www.synology.cn/zh-cn/support/security/Synology_SA_22_15 Fri, 16 Sep 2022 14:27:56 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_15 Synology-SA-22:14 USB Copy https://www.synology.cn/zh-cn/support/security/Synology_SA_22_14 Wed, 03 Aug 2022 11:21:59 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_14 Synology-SA-22:13 SSO Server https://www.synology.cn/zh-cn/support/security/Synology_SA_22_13 Wed, 03 Aug 2022 11:15:26 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_13 Synology-SA-22:12 Synology Note Station Client https://www.synology.cn/zh-cn/support/security/Synology_SA_22_12 Wed, 03 Aug 2022 10:44:45 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_12 Synology-SA-22:11 Storage Analyzer https://www.synology.cn/zh-cn/support/security/Synology_SA_22_11 Wed, 03 Aug 2022 10:21:30 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_11 Synology-SA-22:10 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_22_10 Fri, 29 Jul 2022 15:12:19 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_10 Synology-SA-22:09 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_22_09 Thu, 23 Jun 2022 13:49:58 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_09 Synology-SA-22:08 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_22_08 Fri, 20 May 2022 11:36:27 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_08 Synology-SA-22:07 Synology Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_22_07 Tue, 17 May 2022 14:18:27 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_07 Synology-SA-22:06 Netatalk https://www.synology.cn/zh-cn/support/security/Synology_SA_22_06 Thu, 28 Apr 2022 13:32:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_06 Synology-SA-22:05 Spring4Shell https://www.synology.cn/zh-cn/support/security/Synology_SA_22_05 Wed, 06 Apr 2022 16:04:22 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_05 Synology-SA-22:04 OpenSSL https://www.synology.cn/zh-cn/support/security/Synology_SA_22_04 Fri, 18 Mar 2022 17:49:23 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_04 Synology-SA-22:03 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_22_03 Tue, 22 Feb 2022 11:37:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_03 Synology-SA-22:02 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_22_02 Thu, 27 Jan 2022 18:50:45 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_02 Synology-SA-22:01 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_22_01 Tue, 11 Jan 2022 15:46:17 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_22_01 Synology-SA-21:30 Log4Shell https://www.synology.cn/zh-cn/support/security/Synology_SA_21_30 Mon, 13 Dec 2021 18:29:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_30 Synology-SA-21:29 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_21_29 Wed, 17 Nov 2021 16:39:06 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_29 Synology-SA-21:28 Mail Station https://www.synology.cn/zh-cn/support/security/Synology_SA_21_28 Tue, 16 Nov 2021 15:16:11 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_28 Synology-SA-21:27 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_21_27 Mon, 01 Nov 2021 18:33:53 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_27 Synology-SA-21:26 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_21_26 Tue, 07 Sep 2021 10:03:01 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_26 Synology-SA-21:25 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_21_25 Tue, 31 Aug 2021 15:10:26 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_25 Synology-SA-21:24 OpenSSL https://www.synology.cn/zh-cn/support/security/Synology_SA_21_24 Thu, 26 Aug 2021 09:14:55 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_24 Synology-SA-21:23 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_21_23 Fri, 20 Aug 2021 10:43:23 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_23 Synology-SA-21:22 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_21_22 Tue, 17 Aug 2021 10:25:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_22 Synology-SA-21:21 Audio Station https://www.synology.cn/zh-cn/support/security/Synology_SA_21_21 Wed, 16 Jun 2021 16:05:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_21 Synology-SA-21:20 FragAttacks https://www.synology.cn/zh-cn/support/security/Synology_SA_21_20 Wed, 12 May 2021 18:26:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_20 Synology-SA-21:19 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_21_19 Tue, 11 May 2021 14:23:32 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_19 Synology-SA-21:18 Hyper Backup https://www.synology.cn/zh-cn/support/security/Synology_SA_21_18 Tue, 04 May 2021 11:10:37 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_18 Synology-SA-21:17 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_21_17 Mon, 03 May 2021 10:54:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_17 Synology-SA-21:16 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_21_16 Mon, 03 May 2021 10:34:51 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_16 Synology-SA-21:15 Antivirus Essential https://www.synology.cn/zh-cn/support/security/Synology_SA_21_15 Wed, 28 Apr 2021 08:12:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_15 Synology-SA-21:14 OpenSSL https://www.synology.cn/zh-cn/support/security/Synology_SA_21_14 Mon, 29 Mar 2021 08:56:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_14 Synology-SA-21:13 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_21_13 Fri, 26 Mar 2021 15:29:59 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_13 Synology-SA-21:12 Synology Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_21_12 Tue, 23 Mar 2021 11:43:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_12 Synology-SA-21:11 Download Station https://www.synology.cn/zh-cn/support/security/Synology_SA_21_11 Tue, 09 Mar 2021 08:28:24 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_11 Synology-SA-21:10 Media Server https://www.synology.cn/zh-cn/support/security/Synology_SA_21_10 Tue, 09 Mar 2021 08:27:59 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_10 Synology-SA-21:09 WebDAV Server https://www.synology.cn/zh-cn/support/security/Synology_SA_21_09 Tue, 23 Feb 2021 11:18:19 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_09 Synology-SA-21:08 Docker https://www.synology.cn/zh-cn/support/security/Synology_SA_21_08 Tue, 23 Feb 2021 11:18:06 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_08 Synology-SA-21:07 LDAP Server https://www.synology.cn/zh-cn/support/security/Synology_SA_21_07 Tue, 23 Feb 2021 11:17:51 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_07 Synology-SA-21:06 CardDAV Server https://www.synology.cn/zh-cn/support/security/Synology_SA_21_06 Tue, 23 Feb 2021 11:17:26 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_06 Synology-SA-21:05 Audio Station https://www.synology.cn/zh-cn/support/security/Synology_SA_21_05 Tue, 23 Feb 2021 09:52:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_05 Synology-SA-21:04 Video Station https://www.synology.cn/zh-cn/support/security/Synology_SA_21_04 Tue, 23 Feb 2021 09:17:09 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_04 Synology-SA-21:03 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_21_03 Tue, 23 Feb 2021 09:15:43 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_03 Synology-SA-21:02 Sudo https://www.synology.cn/zh-cn/support/security/Synology_SA_21_02 Mon, 22 Feb 2021 10:44:30 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_02 Synology-SA-21:01 DNSpooq https://www.synology.cn/zh-cn/support/security/Synology_SA_21_01 Wed, 20 Jan 2021 10:22:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_21_01 Synology-SA-20:29 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_29 Tue, 29 Dec 2020 14:11:27 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_29 Synology-SA-20:28 File Station https://www.synology.cn/zh-cn/support/security/Synology_SA_20_28 Tue, 15 Dec 2020 15:20:59 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_28 Synology-SA-20:27 DNS Server https://www.synology.cn/zh-cn/support/security/Synology_SA_20_27 Tue, 08 Dec 2020 14:29:55 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_27 Synology-SA-20:26 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_26 Thu, 26 Nov 2020 11:52:20 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_26 Synology-SA-20:25 Safe Access https://www.synology.cn/zh-cn/support/security/Synology_SA_20_25 Tue, 24 Nov 2020 11:52:27 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_25 Synology-SA-20:24 Media Server https://www.synology.cn/zh-cn/support/security/Synology_SA_20_24 Tue, 20 Oct 2020 16:00:49 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_24 Synology-SA-20:23 Download Station https://www.synology.cn/zh-cn/support/security/Synology_SA_20_23 Tue, 20 Oct 2020 15:58:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_23 Synology-SA-20:22 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_22 Thu, 24 Sep 2020 10:28:53 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_22 Synology-SA-20:21 Zerologon https://www.synology.cn/zh-cn/support/security/Synology_SA_20_21 Thu, 17 Sep 2020 17:05:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_21 Synology-SA-20:20 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_20_20 Tue, 15 Sep 2020 16:25:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_20 Synology-SA-20:19 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_20_19 Mon, 24 Aug 2020 18:32:20 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_19 Synology-SA-20:18 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_18 Thu, 16 Jul 2020 12:14:19 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_18 Synology-SA-20:17 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_20_17 Mon, 06 Jul 2020 18:34:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_17 Synology-SA-20:16 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_20_16 Fri, 19 Jun 2020 18:27:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_16 Synology-SA-20:15 Ripple20 https://www.synology.cn/zh-cn/support/security/Synology_SA_20_15 Thu, 18 Jun 2020 18:48:28 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_15 Synology-SA-20:14 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_14 Thu, 18 Jun 2020 14:49:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_14 Synology-SA-20:13 CallStranger https://www.synology.cn/zh-cn/support/security/Synology_SA_20_13 Tue, 16 Jun 2020 18:39:57 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_13 Synology-SA-20:12 NXNSAttack https://www.synology.cn/zh-cn/support/security/Synology_SA_20_12 Thu, 21 May 2020 19:37:26 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_12 Synology-SA-20:11 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_11 Mon, 04 May 2020 17:57:19 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_11 Synology-SA-20:10 WordPress https://www.synology.cn/zh-cn/support/security/Synology_SA_20_10 Mon, 04 May 2020 17:48:13 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_10 Synology-SA-20:09 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_20_09 Wed, 29 Apr 2020 18:27:50 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_09 Synology-SA-20:08 Cloud Station Backup https://www.synology.cn/zh-cn/support/security/Synology_SA_20_08 Wed, 29 Apr 2020 18:25:10 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_08 Synology-SA-20:07 Synology Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_20_07 Wed, 29 Apr 2020 18:23:24 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_07 Synology-SA-20:06 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_20_06 Wed, 29 Apr 2020 18:22:25 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_06 Synology-SA-20:05 OpenSSL https://www.synology.cn/zh-cn/support/security/Synology_SA_20_05 Fri, 24 Apr 2020 18:53:52 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_05 Synology-SA-20:04 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_20_04 Mon, 30 Mar 2020 17:05:58 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_04 Synology-SA-20:03 Kr00k https://www.synology.cn/zh-cn/support/security/Synology_SA_20_03 Wed, 11 Mar 2020 19:08:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_03 Synology-SA-20:02 PPP https://www.synology.cn/zh-cn/support/security/Synology_SA_20_02 Fri, 06 Mar 2020 10:40:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_02 Synology-SA-20:01 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_20_01 Wed, 22 Jan 2020 17:52:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_20_01 Synology-SA-19:43 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_19_43 Mon, 23 Dec 2019 13:27:15 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_43 Synology-SA-19:42 Intel Processor Vulnerability https://www.synology.cn/zh-cn/support/security/Synology_SA_19_42 Fri, 20 Dec 2019 15:08:42 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_42 Synology-SA-19:41 WordPress https://www.synology.cn/zh-cn/support/security/Synology_SA_19_41 Fri, 20 Dec 2019 15:08:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_41 Synology-SA-19:40 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_19_40 Thu, 12 Dec 2019 08:57:52 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_40 Synology-SA-19:39 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_19_39 Tue, 26 Nov 2019 16:56:55 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_39 Synology-SA-19:38 Synology Assistant https://www.synology.cn/zh-cn/support/security/Synology_SA_19_38 Tue, 12 Nov 2019 14:33:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_38 Synology-SA-19:37 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_19_37 Tue, 05 Nov 2019 15:29:10 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_37 Synology-SA-19:36 PHP https://www.synology.cn/zh-cn/support/security/Synology_SA_19_36 Fri, 01 Nov 2019 12:47:01 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_36 Synology-SA-19:35 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_19_35 Wed, 30 Oct 2019 18:23:58 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_35 Synology-SA-19:34 WordPress https://www.synology.cn/zh-cn/support/security/Synology_SA_19_34 Fri, 18 Oct 2019 19:39:50 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_34 Synology-SA-19:33 HTTP/2 DoS Attacks https://www.synology.cn/zh-cn/support/security/Synology_SA_19_33 Wed, 14 Aug 2019 17:48:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_33 Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack https://www.synology.cn/zh-cn/support/security/Synology_SA_19_32 Thu, 08 Aug 2019 18:21:05 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_32 Synology-SA-19:31 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_19_31 Wed, 24 Jul 2019 18:13:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_31 Synology-SA-19:30 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_19_30 Fri, 19 Jul 2019 17:36:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_30 Synology-SA-19:29 Tomcat https://www.synology.cn/zh-cn/support/security/Synology_SA_19_29 Mon, 24 Jun 2019 18:07:18 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_29 Synology-SA-19:28 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_19_28 Fri, 21 Jun 2019 17:59:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_28 Synology-SA-19:27 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_19_27 Fri, 21 Jun 2019 17:16:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_27 Synology-SA-19:26 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_19_26 Tue, 11 Jun 2019 16:04:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_26 Synology-SA-19:25 Virtual Machine Manager https://www.synology.cn/zh-cn/support/security/Synology_SA_19_25 Thu, 23 May 2019 13:55:15 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_25 Synology-SA-19:24 Microarchitectural Data Sampling https://www.synology.cn/zh-cn/support/security/Synology_SA_19_24 Wed, 15 May 2019 18:59:52 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_24 Synology-SA-19:23 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_19_23 Wed, 15 May 2019 16:06:59 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_23 Synology-SA-19:22 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_19_22 Fri, 10 May 2019 13:59:40 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_22 Synology-SA-19:21 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_19_21 Thu, 09 May 2019 13:30:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_21 Synology-SA-19:20 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_19_20 Fri, 26 Apr 2019 13:44:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_20 Synology-SA-19:19 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_19_19 Thu, 18 Apr 2019 18:15:18 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_19 Synology-SA-19:18 Broadcom Wi-Fi Driver https://www.synology.cn/zh-cn/support/security/Synology_SA_19_18 Thu, 18 Apr 2019 11:51:52 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_18 Synology-SA-19:17 Tomcat https://www.synology.cn/zh-cn/support/security/Synology_SA_19_17 Wed, 17 Apr 2019 17:42:06 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_17 Synology-SA-19:16 Dragonblood https://www.synology.cn/zh-cn/support/security/Synology_SA_19_16 Thu, 11 Apr 2019 14:12:42 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_16 Synology-SA-19:15 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_19_15 Tue, 09 Apr 2019 18:15:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_15 Synology-SA-19:14 Apache HTTP Server https://www.synology.cn/zh-cn/support/security/Synology_SA_19_14 Wed, 03 Apr 2019 14:41:40 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_14 Synology-SA-19:13 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_19_13 Tue, 26 Mar 2019 17:27:02 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_13 Synology-SA-19:12 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_19_12 Tue, 19 Mar 2019 15:10:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_12 Synology-SA-19:11 Office https://www.synology.cn/zh-cn/support/security/Synology_SA_19_11 Tue, 05 Mar 2019 14:01:22 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_11 Synology-SA-19:10 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_19_10 Sat, 23 Feb 2019 15:44:24 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_10 Synology-SA-19:09 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_19_09 Fri, 22 Feb 2019 13:34:56 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_09 Synology-SA-19:08 Note Station https://www.synology.cn/zh-cn/support/security/Synology_SA_19_08 Tue, 19 Feb 2019 15:32:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_08 Synology-SA-19:07 Marvell Avastar SoC https://www.synology.cn/zh-cn/support/security/Synology_SA_19_07 Fri, 15 Feb 2019 18:03:26 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_07 Synology-SA-19:06 Docker https://www.synology.cn/zh-cn/support/security/Synology_SA_19_06 Thu, 14 Feb 2019 15:10:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_06 Synology-SA-19:05 Moments https://www.synology.cn/zh-cn/support/security/Synology_SA_19_05 Wed, 16 Jan 2019 17:26:58 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_05 Synology-SA-19:04 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_19_04 Tue, 15 Jan 2019 15:37:50 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_04 Synology-SA-19:03 Surveillance Station https://www.synology.cn/zh-cn/support/security/Synology_SA_19_03 Tue, 15 Jan 2019 15:13:02 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_03 Synology-SA-19:02 VS960HD https://www.synology.cn/zh-cn/support/security/Synology_SA_19_02 Tue, 15 Jan 2019 15:12:24 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_02 Synology-SA-19:01 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_19_01 Wed, 02 Jan 2019 11:16:52 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_19_01 Synology-SA-18:65 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_65 Wed, 26 Dec 2018 15:23:11 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_65 Synology-SA-18:64 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_64 Wed, 26 Dec 2018 14:06:16 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_64 Synology-SA-18:63 DS File https://www.synology.cn/zh-cn/support/security/Synology_SA_18_63 Tue, 25 Dec 2018 14:08:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_63 Synology-SA-18:62 Netatalk https://www.synology.cn/zh-cn/support/security/Synology_SA_18_62 Fri, 21 Dec 2018 17:58:09 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_62 Synology-SA-18:61 Magellan https://www.synology.cn/zh-cn/support/security/Synology_SA_18_61 Tue, 18 Dec 2018 11:58:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_61 Synology-SA-18:60 Samba AD DC https://www.synology.cn/zh-cn/support/security/Synology_SA_18_60 Wed, 28 Nov 2018 18:34:16 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_60 Synology-SA-18:59 VS960HD https://www.synology.cn/zh-cn/support/security/Synology_SA_18_59 Thu, 08 Nov 2018 16:06:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_59 Synology-SA-18:58 Surveillance Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_58 Thu, 08 Nov 2018 16:05:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_58 Synology-SA-18:57 BleedingBit https://www.synology.cn/zh-cn/support/security/Synology_SA_18_57 Fri, 02 Nov 2018 14:28:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_57 Synology-SA-18:56 DS Get https://www.synology.cn/zh-cn/support/security/Synology_SA_18_56 Wed, 24 Oct 2018 16:16:24 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_56 Synology-SA-18:55 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_55 Wed, 17 Oct 2018 10:27:40 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_55 Synology-SA-18:54 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_18_54 Mon, 08 Oct 2018 16:42:03 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_54 Synology-SA-18:53 Web Proxy Auto-Discovery https://www.synology.cn/zh-cn/support/security/Synology_SA_18_53 Wed, 05 Sep 2018 23:52:05 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_53 Synology-SA-18:52 Android Moments https://www.synology.cn/zh-cn/support/security/Synology_SA_18_52 Wed, 05 Sep 2018 15:17:58 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_52 Synology-SA-18:51 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_51 Wed, 29 Aug 2018 14:14:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_51 Synology-SA-18:50 Drive https://www.synology.cn/zh-cn/support/security/Synology_SA_18_50 Mon, 27 Aug 2018 16:56:19 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_50 Synology-SA-18:49 Ghostscript https://www.synology.cn/zh-cn/support/security/Synology_SA_18_49 Thu, 23 Aug 2018 13:52:41 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_49 Synology-SA-18:48 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_48 Mon, 20 Aug 2018 16:37:20 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_48 Synology-SA-18:47 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_18_47 Thu, 16 Aug 2018 16:36:23 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_47 Synology-SA-18:46 Internet Key Exchange v1 https://www.synology.cn/zh-cn/support/security/Synology_SA_18_46 Wed, 15 Aug 2018 18:04:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_46 Synology-SA-18:45 L1 Terminal Fault https://www.synology.cn/zh-cn/support/security/Synology_SA_18_45 Wed, 15 Aug 2018 17:00:49 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_45 Synology-SA-18:44 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_18_44 Wed, 15 Aug 2018 13:17:16 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_44 Synology-SA-18:43 MailPlus Server https://www.synology.cn/zh-cn/support/security/Synology_SA_18_43 Tue, 14 Aug 2018 14:25:06 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_43 Synology-SA-18:42 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_18_42 Fri, 10 Aug 2018 13:59:39 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_42 Synology-SA-18:41 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_18_41 Tue, 07 Aug 2018 11:13:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_41 Synology-SA-18:40 Synology Application Service https://www.synology.cn/zh-cn/support/security/Synology_SA_18_40 Mon, 30 Jul 2018 14:36:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_40 Synology-SA-18:39 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_39 Mon, 30 Jul 2018 10:29:39 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_39 Synology-SA-18:38 Tomcat https://www.synology.cn/zh-cn/support/security/Synology_SA_18_38 Tue, 24 Jul 2018 18:54:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_38 Synology-SA-18:37 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_37 Mon, 23 Jul 2018 10:32:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_37 Synology-SA-18:36 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_36 Thu, 12 Jul 2018 16:41:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_36 Synology-SA-18:35 File Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_35 Thu, 12 Jul 2018 10:00:23 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_35 Synology-SA-18:34 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_34 Thu, 28 Jun 2018 11:59:22 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_34 Synology-SA-18:33 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_33 Mon, 25 Jun 2018 11:15:51 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_33 Synology-SA-18:32 ISC BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_18_32 Thu, 14 Jun 2018 18:51:32 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_32 Synology-SA-18:31 Lazy FP State Restore https://www.synology.cn/zh-cn/support/security/Synology_SA_18_31 Thu, 14 Jun 2018 16:31:41 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_31 Synology-SA-18:30 SSL VPN Client https://www.synology.cn/zh-cn/support/security/Synology_SA_18_30 Fri, 01 Jun 2018 15:08:53 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_30 Synology-SA-18:29 Web Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_29 Fri, 01 Jun 2018 15:08:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_29 Synology-SA-18:28 SSO Server https://www.synology.cn/zh-cn/support/security/Synology_SA_18_28 Thu, 31 May 2018 10:53:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_28 Synology-SA-18:27 Universal Search https://www.synology.cn/zh-cn/support/security/Synology_SA_18_27 Thu, 31 May 2018 10:52:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_27 Synology-SA-18:26 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_26 Thu, 31 May 2018 10:52:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_26 Synology-SA-18:25 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_25 Wed, 23 May 2018 14:08:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_25 Synology-SA-18:24 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_24 Wed, 23 May 2018 14:07:44 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_24 Synology-SA-18:23 Speculative Store Bypass https://www.synology.cn/zh-cn/support/security/Synology_SA_18_23 Tue, 22 May 2018 14:39:53 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_23 Synology-SA-18:22 EFAIL https://www.synology.cn/zh-cn/support/security/Synology_SA_18_22 Tue, 15 May 2018 19:16:15 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_22 Synology-SA-18:21 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_18_21 Wed, 09 May 2018 12:52:28 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_21 Synology-SA-18:20 PHP https://www.synology.cn/zh-cn/support/security/Synology_SA_18_20 Wed, 02 May 2018 15:30:27 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_20 Synology-SA-18:19 SSL VPN Client https://www.synology.cn/zh-cn/support/security/Synology_SA_18_19 Thu, 26 Apr 2018 15:47:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_19 Synology-SA-18:18 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_18_18 Thu, 26 Apr 2018 13:51:34 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_18 Synology-SA-18:17 Drupal https://www.synology.cn/zh-cn/support/security/Synology_SA_18_17 Fri, 30 Mar 2018 15:21:37 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_17 Synology-SA-18:16 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_18_16 Thu, 29 Mar 2018 12:52:19 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_16 Synology-SA-18:15 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_15 Thu, 29 Mar 2018 12:51:05 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_15 Synology-SA-18:14 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_18_14 Tue, 27 Mar 2018 16:02:31 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_14 Synology-SA-18:13 NTP https://www.synology.cn/zh-cn/support/security/Synology_SA_18_13 Tue, 27 Mar 2018 15:57:38 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_13 Synology-SA-18:12 Office https://www.synology.cn/zh-cn/support/security/Synology_SA_18_12 Mon, 26 Mar 2018 16:50:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_12 Synology-SA-18:11 Drive https://www.synology.cn/zh-cn/support/security/Synology_SA_18_11 Wed, 21 Mar 2018 15:00:05 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_11 Synology-SA-18:10 CardDAV Server https://www.synology.cn/zh-cn/support/security/Synology_SA_18_10 Tue, 20 Mar 2018 13:46:21 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_10 Synology-SA-18:09 File Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_09 Tue, 20 Mar 2018 13:44:20 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_09 Synology-SA-18:08 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_18_08 Wed, 14 Mar 2018 16:54:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_08 Synology-SA-18:07 Memcached https://www.synology.cn/zh-cn/support/security/Synology_SA_18_07 Wed, 14 Mar 2018 14:09:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_07 Synology-SA-18:06 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_18_06 Mon, 12 Feb 2018 15:12:26 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_06 Synology-SA-18:05 Drive https://www.synology.cn/zh-cn/support/security/Synology_SA_18_05 Thu, 08 Feb 2018 17:24:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_05 Synology-SA-18:04 Media Server https://www.synology.cn/zh-cn/support/security/Synology_SA_18_04 Thu, 08 Feb 2018 10:07:44 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_04 Synology-SA-18:03 Note Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_03 Tue, 23 Jan 2018 17:25:28 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_03 Synology-SA-18:02 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_18_02 Wed, 10 Jan 2018 10:18:42 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_02 Synology-SA-18:01 Meltdown and Spectre Attacks https://www.synology.cn/zh-cn/support/security/Synology_SA_18_01 Thu, 04 Jan 2018 13:36:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_18_01 Synology-SA-17:82 Mailsploit https://www.synology.cn/zh-cn/support/security/Synology_SA_17_82 Fri, 29 Dec 2017 13:33:29 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_82 Synology-SA-17:81 MailPlus Server https://www.synology.cn/zh-cn/support/security/Synology_SA_17_81 Wed, 27 Dec 2017 17:42:50 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_81 Synology-SA-17:80 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_80 Wed, 20 Dec 2017 17:12:49 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_80 Synology-SA-17:79 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_79 Tue, 19 Dec 2017 14:11:30 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_79 Synology-SA-17:78 Chat https://www.synology.cn/zh-cn/support/security/Synology_SA_17_78 Mon, 18 Dec 2017 11:16:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_78 Synology-SA-17:77 Surveillance Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_77 Tue, 12 Dec 2017 14:13:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_77 Synology-SA-17:76 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_76 Thu, 07 Dec 2017 15:14:06 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_76 Synology-SA-17:75 MailPlus Server https://www.synology.cn/zh-cn/support/security/Synology_SA_17_75 Fri, 24 Nov 2017 18:01:45 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_75 Synology-SA-17:74 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_74 Fri, 24 Nov 2017 18:01:27 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_74 Synology-SA-17:73 Intel TXE and ME https://www.synology.cn/zh-cn/support/security/Synology_SA_17_73 Wed, 22 Nov 2017 18:23:20 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_73 Synology-SA-17:72 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_17_72_Samba Tue, 21 Nov 2017 19:17:51 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_72_Samba Synology-SA-17:71 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_71_SRM Wed, 15 Nov 2017 13:27:01 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_71_SRM Synology-SA-17:70 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_70_DSM Wed, 15 Nov 2017 13:26:55 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_70_DSM Synology-SA-17:69 File Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_69_File_Station Wed, 15 Nov 2017 13:26:44 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_69_File_Station Synology-SA-17:68 Calendar https://www.synology.cn/zh-cn/support/security/Synology_SA_17_68_Calendar Fri, 10 Nov 2017 17:59:55 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_68_Calendar Synology-SA-17:67 Mail Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_67_Mail_Station Fri, 10 Nov 2017 17:59:49 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_67_Mail_Station Synology-SA-17:66 OpenJDK https://www.synology.cn/zh-cn/support/security/Synology_SA_17_66_OpenJDK Thu, 09 Nov 2017 17:58:43 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_66_OpenJDK Synology-SA-17:65 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_65_DSM Wed, 08 Nov 2017 17:11:36 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_65_DSM Synology-SA-17:64 CardDAV Server https://www.synology.cn/zh-cn/support/security/Synology_SA_17_64_CardDAV_Server Mon, 06 Nov 2017 16:35:38 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_64_CardDAV_Server Synology-SA-17:63 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_63_Photo_Station Mon, 06 Nov 2017 16:35:28 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_63_Photo_Station Synology-SA-17:62 Wget https://www.synology.cn/zh-cn/support/security/Synology_SA_17_62_Wget Thu, 02 Nov 2017 17:37:11 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_62_Wget Synology-SA-17:61 Audio Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_61_Audio_Station Mon, 30 Oct 2017 15:29:46 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_61_Audio_Station Synology-SA-17:60 KRACK https://www.synology.cn/zh-cn/support/security/Synology_SA_17_60_KRACK Mon, 16 Oct 2017 19:38:38 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_60_KRACK Synology-SA-17:59 Dnsmasq https://www.synology.cn/zh-cn/support/security/Synology_SA_17_59_Dnsmasq Tue, 03 Oct 2017 16:31:53 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_59_Dnsmasq Synology-SA-17:58 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_17_58_Linux_kernel Fri, 29 Sep 2017 15:45:48 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_58_Linux_kernel Synology-SA-17:57 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_17_57_Samba Mon, 25 Sep 2017 15:10:08 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_57_Samba Synology-SA-17:56 OptionsBleed https://www.synology.cn/zh-cn/support/security/Synology_SA_17_56_OptionsBleed Mon, 25 Sep 2017 15:10:01 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_56_OptionsBleed Synology-SA-17:55 Joomla https://www.synology.cn/zh-cn/support/security/Synology_SA_17_55_Joomla Fri, 22 Sep 2017 17:09:54 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_55_Joomla Synology-SA-17:54 Tomcat https://www.synology.cn/zh-cn/support/security/Synology_SA_17_54_Tomcat Thu, 21 Sep 2017 16:37:59 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_54_Tomcat Synology-SA-17:53 SugarCRM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_53_SugarCRM Mon, 18 Sep 2017 16:07:44 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_53_SugarCRM Synology-SA-17:52 BlueBorne https://www.synology.cn/zh-cn/support/security/Synology_SA_17_52_BlueBorne Wed, 13 Sep 2017 20:05:44 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_52_BlueBorne Synology-SA-17:51 Cloud Station Drive https://www.synology.cn/zh-cn/support/security/Synology_SA_17_51_Cloud_Station_Drive Wed, 30 Aug 2017 18:50:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_51_Cloud_Station_Drive Synology-SA-17:50 Cloud Station Backup https://www.synology.cn/zh-cn/support/security/Synology_SA_17_50_Cloud_Station_Backup Wed, 30 Aug 2017 18:47:47 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_50_Cloud_Station_Backup Synology-SA-17:49 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_49_SRM Mon, 28 Aug 2017 12:02:14 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_49_SRM Synology-SA-17:48 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_48_DSM Mon, 28 Aug 2017 09:58:07 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_48_DSM Synology-SA-17:47 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_47_Photo_Station Thu, 24 Aug 2017 13:23:45 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_47_Photo_Station Synology-SA-17:46 DNS Server https://www.synology.cn/zh-cn/support/security/Synology_SA_17_46_DNS_Server Wed, 23 Aug 2017 18:12:51 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_46_DNS_Server Synology-SA-17:45 Photo Station Uploader https://www.synology.cn/zh-cn/support/security/Synology_SA_17_45_Photo_Station_Uploader Wed, 23 Aug 2017 18:12:23 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_45_Photo_Station_Uploader Synology-SA-17:44 Synology Assistant https://www.synology.cn/zh-cn/support/security/Synology_SA_17_44_Synology_Assistant Wed, 16 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_44_Synology_Assistant Synology-SA-17:43 GitLab https://www.synology.cn/zh-cn/support/security/Synology_SA_17_43_GitLab Tue, 15 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_43_GitLab Synology-SA-17:42 SVN https://www.synology.cn/zh-cn/support/security/Synology_SA_17_42_SVN Tue, 15 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_42_SVN Synology-SA-17:41 Git Server https://www.synology.cn/zh-cn/support/security/Synology_SA_17_41_Git_Server Tue, 15 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_41_Git_Server Synology-SA-17:40 libsoup https://www.synology.cn/zh-cn/support/security/Synology_SA_17_40_libsoup Fri, 11 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_40_libsoup Synology-SA-17:28 Download Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_28_Download_Station Fri, 11 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_28_Download_Station Synology-SA-17:26 Office https://www.synology.cn/zh-cn/support/security/Synology_SA_17_26_Office Fri, 11 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_26_Office Synology-SA-17:39 Video Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_39_Video_Station Thu, 10 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_39_Video_Station Synology-SA-17:38 Chat https://www.synology.cn/zh-cn/support/security/Synology_SA_17_38_Chat Thu, 10 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_38_Chat Synology-SA-17:34 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_34_PhotoStation Tue, 08 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_34_PhotoStation Synology-SA-17:37 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_17_37_Linux_kernel Mon, 07 Aug 2017 16:17:12 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_37_Linux_kernel Synology-SA-17:36 SMBLoris https://www.synology.cn/zh-cn/support/security/Synology_SA_17_36_SMBLoris Fri, 04 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_36_SMBLoris Synology-SA-17:35 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_35_PhotoStation Thu, 03 Aug 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_35_PhotoStation Synology-SA-17:33 FreeRADIUS https://www.synology.cn/zh-cn/support/security/Synology_SA_17_33_FreeRADIUS Thu, 20 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_33_FreeRADIUS Synology-SA-17:32 Node.js https://www.synology.cn/zh-cn/support/security/Synology_SA_17_32_Nodejs Tue, 18 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_32_Nodejs Synology-SA-17:31 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_17_31_Samba Fri, 14 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_31_Samba Synology-SA-17:30 Broadpwn https://www.synology.cn/zh-cn/support/security/Synology_SA_17_30_Broadpwn Fri, 14 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_30_Broadpwn Synology-SA-17:29 DSM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_29_DSM Fri, 14 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_29_DSM Synology-SA-17:27 Nginx https://www.synology.cn/zh-cn/support/security/Synology_SA_17_27_Nginx Thu, 13 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_27_Nginx Synology-SA-17:25 FFmpeg https://www.synology.cn/zh-cn/support/security/Synology_SA_17_25_FFmpeg Thu, 06 Jul 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_25_FFmpeg Synology-SA-17:24 BIND https://www.synology.cn/zh-cn/support/security/Synology_SA_17_24_BIND Fri, 30 Jun 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_24_BIND Synology-SA-17:23 OpenVPN https://www.synology.cn/zh-cn/support/security/Synology_SA_17_23_OpenVPN Thu, 22 Jun 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_23_OpenVPN Synology-SA-17:22 Stack Clash https://www.synology.cn/zh-cn/support/security/Synology_SA_17_22_Stack_Clash Tue, 20 Jun 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_22_Stack_Clash Synology-SA-17:21 Photo Station https://www.synology.cn/zh-cn/support/security/Synology_SA_17_21_Photo_Station Tue, 13 Jun 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_21_Photo_Station Synology-SA-17:20 SRM https://www.synology.cn/zh-cn/support/security/Synology_SA_17_20_SRM Mon, 12 Jun 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_20_SRM Synology-SA-17:19 sudo https://www.synology.cn/zh-cn/support/security/Synology_SA_17_19_sudo Thu, 01 Jun 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_19_sudo Synology-SA-17:18 Samba https://www.synology.cn/zh-cn/support/security/Synology_SA_17_18_Samba Thu, 25 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_18_Samba Synology-SA-17:17 WannaCry Ransomware https://www.synology.cn/zh-cn/support/security/Synology_SA_17_17_WannaCry_Ransomware Mon, 15 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_17_WannaCry_Ransomware Synology-SA-17:16 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_17_16_Linux_kernel Fri, 12 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_16_Linux_kernel Synology-SA-17:15 Linux kernel https://www.synology.cn/zh-cn/support/security/Synology_SA_17_15_Linux_kernel Mon, 08 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_15_Linux_kernel Synology-SA-17:14 NFS https://www.synology.cn/zh-cn/support/security/Synology_SA_17_14_Linux_NFS Mon, 08 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_14_Linux_NFS Synology-SA-17:13 WordPress https://www.synology.cn/zh-cn/support/security/Synology_SA_17_13_WordPress Mon, 08 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_13_WordPress Synology-SA-17:12 Intel Manageability SKUs https://www.synology.cn/zh-cn/support/security/Synology_SA_17_12_Intel_Manageability_SKUs Fri, 05 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Synology_SA_17_12_Intel_Manageability_SKUs Important Information Regarding MediaWiki Vulnerability (CVE-2017-0372) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_MediaWiki_Vulnerability Wed, 03 May 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_MediaWiki_Vulnerability Important Information Regarding NTP Vulnerability (CVE-2016-9042) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_NTP_Vulnerability Tue, 18 Apr 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_NTP_Vulnerability Important Information Regarding Linux kernel Vulnerability (CVE-2016-10229) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Linux_kernel_Vulnerability Mon, 17 Apr 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Linux_kernel_Vulnerability Important Information Regarding Samba Vulnerability (CVE-2017-2619) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Samba_Vulnerability Fri, 24 Mar 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Samba_Vulnerability Important Information Regarding Photo Station Vulnerability https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Photo_Station_Vulnerability Fri, 24 Mar 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Photo_Station_Vulnerability Important Information Regarding Moodle Vulnerability (CVE-2017-2641) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Moodle_Vulnerability Site administration > Plugins > Authentication > Manage authentication and disable Self registration in the Common settings section. Update Availability To fix the security issues, please go to DSM > Package Center and install the latest version of Moodle to protect your Synology NAS from malicious attacks. References http://netanelrub.in/2017/03/20/moodle-remote-code-execution/ https://moodle.org/mod/forum/discuss.php?d=349419#p1409805 ]]> Wed, 22 Mar 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Moodle_Vulnerability Important Information about the Auto Block function in DSM https://www.synology.cn/zh-cn/support/security/AutoBlock Fri, 24 Feb 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/AutoBlock Multiple Vulnerabilities in tcpdump https://www.synology.cn/zh-cn/support/security/Multiple_Vulnerabilities_in_tcpdump Fri, 17 Feb 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Multiple_Vulnerabilities_in_tcpdump Precaution for a Potential SMB Vulnerability https://www.synology.cn/zh-cn/support/security/Precaution_for_a_PotentialSMBVulnerability Thu, 26 Jan 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Precaution_for_a_PotentialSMBVulnerability Important Information Regarding PHP 7.0 Vulnerability (CVE-2017-5340) https://www.synology.cn/zh-cn/support/security/PHP70_Vulnerability_CVEZ_2017_5340 Mon, 23 Jan 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/PHP70_Vulnerability_CVEZ_2017_5340 Important Information Regarding PHPMailer Vulnerability (CVE-2017-5223) https://www.synology.cn/zh-cn/support/security/PHPMailer_2017_5223 Wed, 18 Jan 2017 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/PHPMailer_2017_5223 Important Information Regarding PHPMailer Vulnerability (CVE-2016-10033) https://www.synology.cn/zh-cn/support/security/PHPMailer_Vulnerability Wed, 28 Dec 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/PHPMailer_Vulnerability Important Information Regarding Roundcube Vulnerability (CVE-2016-9920) https://www.synology.cn/zh-cn/support/security/Roundcube_Vulnerability Fri, 09 Dec 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Roundcube_Vulnerability Important Information Regarding ImageMagick Vulnerability (CVE-2016-8707) https://www.synology.cn/zh-cn/support/security/ImageMagick_Vulnerability Applications > Terminal & SNMP and tick ""Enable SSH service."" Log into DSM via SSH as “admin” or “root” and execute the following command: For DSM 6.0: $ sudo sed -i "\$i <policy domain=\"coder\" rights=\"none\" pattern=\"TIFF\" />" /usr/bin/ImageMagick-6/policy.xml For DSM 5.2-5967 Update 1 or later versions of DSM 5.2: # sed -i "\$i <policy domain=\"coder\" rights=\"none\" pattern=\"TIFF\" />" /usr/bin/ImageMagick-6/policy.xml SRM Go to Control Panel > Services > System Services > Terminal and tick ""Enable SSH service."" Log into SRM via SSH as “root” and execute the following command: # sed -i "\$i <policy domain=\"coder\" rights=\"none\" pattern=\"TIFF\" />" /usr/bin/ImageMagick-6/policy.xml Since the mitigation mentioned above may cause errors in the results of Security Advisor in DSM, we recommend installing DSM 6.0.2-8451-6 and SRM 1.1.2-6425-2 to fix this issue. References http://blog.talosintel.com/2016/12/ImageMagick-Tiff-out-of-Bounds.html http://www.talosintelligence.com/reports/TALOS-2016-0216 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8655.html https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c ]]> Fri, 09 Dec 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/ImageMagick_Vulnerability Important Information Regarding Linux Kernel Vulnerability (CVE-2016-8655) https://www.synology.cn/zh-cn/support/security/Linux_Kernel_Vulnerability Wed, 07 Dec 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Linux_Kernel_Vulnerability Important Information Regarding PHP Vulnerability (CVE-2016-7124) https://www.synology.cn/zh-cn/support/security/PHP_Vulnerability Package Center and update the following packages to the latest version to protect your Synology NAS from malicious attacks: PHP 5.6 PHP 7.0 phpMyAdmin SugarCRM Update Availability Synology will provide the latest version of the following packages in Package Center. Available from December 2: PHP 5.6.28 PHP 7.0.13 Available from December 5: phpMyAdmin 4.6.5 SugarCRM 6.5.24 References https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7124 https://www.sugarcrm.com/security/sugarcrm-sa-2016-008 https://www.phpmyadmin.net/security/PMASA-2016-70 https://bugs.php.net/bug.php?id=72663 https://www.owasp.org/index.php/PHP_Object_Injection ]]> Fri, 02 Dec 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/PHP_Vulnerability Important Information Regarding NTP Vulnerability (CVE-2016-9310) https://www.synology.cn/zh-cn/support/security/NTP_Vulnerability Fri, 25 Nov 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/NTP_Vulnerability Important Information Regarding MariaDB Vulnerability (CVE-2016-6664) https://www.synology.cn/zh-cn/support/security/MariaDB Package Center, upgrade to MariaDB 5.5.52 to mitigate CVE-2016-6664 first to protect your Synology NAS from malicious attacks. References https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html ]]> Fri, 04 Nov 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/MariaDB Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183) https://www.synology.cn/zh-cn/support/security/Sweet32 Security > Advanced > TLS / SSL Cipher Suites > Modern compatibility DSM 5.2 Login via SSH # /bin/sed -i 's,SSLCipherSuite .*,SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256,' /etc/httpd/conf/extra/httpd-ssl.conf-cipher # /sbin/restart httpd-sys # /sbin/restart httpd-user OpenVPN server Login via SSH # /bin/echo """"cipher AES-256-CBC"""" >> /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf # /bin/echo """"cipher AES-256-CBC"""" >> /var/packages/VPNCenter/target/etc/openvpn/keys/openvpn.ovpn # /var/packages/VPNCenter/target/scripts/openvpn.sh restart After configuring OpenVPN server, you should export the configuration settings (.ovpn) and re-configure the client. MailPlus Execute the following scripts under SSH mode Download the two scripts from here: CVE-2016-2183_Mitigation_MailPlus-Server.shSHA-256:CB43DA2CF1B11C87AA662809BA40E94D350027C3C25676FFEB4F0E86A7B15FF7 CVE-2016-2183_Mitigation_MailServer.shSHA-256:A43BAE132C9338B4EACC9C4C9A8646A06E136197AB1191FE10F85E09CA932802 The above settings should be re-applied whenever the re-installation or upgrade is done. ]]> Wed, 02 Nov 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Sweet32 Important Information Regarding Linux Kernel Vulnerability (CVE-2016-5195, a.k.a. Dirty CoW) https://www.synology.cn/zh-cn/support/security/Linux_Kernel Wed, 02 Nov 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Linux_Kernel Important Information Regarding Joomla Vulnerability (CVE-2016-8869 and CVE-2016-8870) https://www.synology.cn/zh-cn/support/security/Joomla Package Center, install the latest version 3.6.4 of Joomla to protect your Synology NAS from malicious attacks. References https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html http://thehackernews.com/2016/10/joomla-security-update.html ]]> Wed, 02 Nov 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Joomla Important Information Regarding OpenSSL Vulnerability (CVE-2016-7052, CVE-2016-6304) https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerability Control Panel > Update & Restore > DSM Update and install  DSM 6.0.2-8451 Update 2 or above to protect your Synology NAS from malicious attack. References https://www.openssl.org/news/secadv/20160922.txt https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a7771c15b ]]> Fri, 28 Oct 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerability Important Information Regarding MariaDB Vulnerability (CVE-2016-6662) https://www.synology.cn/zh-cn/support/security/MariaDB_Vulnerability Package Center, install the latest version 5.5.52 of MariaDB to protect your Synology NAS from malicious attacks. References http://seclists.org/oss-sec/2016/q3/481 http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html https://jira.mariadb.org/browse/MDEV-10465 https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/ ]]> Fri, 23 Sep 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/MariaDB_Vulnerability Photo Station 6.5.3-3226 https://www.synology.cn/zh-cn/support/security/Photo_Station_6_5_3_3226 Package Center, install the latest version 6.5.3-3226 of Photo Station package to protect your Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.3-2965 of Photo Station package to protect your Synology NAS from malicious attacks: DS110j, DS210j, DS410j, DS410, DS110+, DS210+, DS710+, DS1010+, RS810+, and RS810RP+ For the following models, please go to DSM > Package Center, install the latest version 6.0-2640 of Photo Station package to protect your Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, and RS409RP+ ]]> Wed, 03 Aug 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_6_5_3_3226 Important Information about "libupnp: write files via POST" (CVE-2016-6255) https://www.synology.cn/zh-cn/support/security/libupnp_CVE_2016_6255 External Access > Router Configuration QuickConnect USB Wi-Fi dongles installed for hotspots Any other UPnP-related packages Audio Station Video Station Media Server Download Station Severity Critical Mitigation Please configure firewall settings and allow UPnP access for trusted network only. Update Availability Synology has released DSM 6.0.1-2 to address the issue. References https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd ]]> Mon, 18 Jul 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/libupnp_CVE_2016_6255 Important Information about HTTPoxy Vulnerability (CVE-2016-5387) https://www.synology.cn/zh-cn/support/security/HTTPoxy_Vulnerability Mon, 18 Jul 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/HTTPoxy_Vulnerability Important Information about NTP Vulnerabilities (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956) https://www.synology.cn/zh-cn/support/security/Important_Information_about_NTP_Vulnerabilities Wed, 08 Jun 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Important_Information_about_NTP_Vulnerabilities Important Information about OpenSSL Vulnerabilities (CVE-2016-2107 and CVE-2016-2108) https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerabilities Wed, 04 May 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerabilities Important Information about Samba Badlock Vulnerability https://www.synology.cn/zh-cn/support/security/Badlock Fri, 15 Apr 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Badlock DSM 5.2-5644 Update 5 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5644_update_5 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5644 Update 5 or above to protect your Synology NAS from malicious attacks. Note This workaround can effectively prevent Synology NAS from this vulnerability. However, this fix may impact read/write performance on the following models by no more than 15%, for which Synology is working on an enhancement in the future release. 16-series: DS216se 15-series: DS115j 14-series: EDS14, DS114, DS214se, RS214, DS414slim 13-series: DS213j, DS213air, DS213, DS413j 12-series: DS112, DS112+, DS112j, DS212, DS212j, DS212+, RS212, RS812 11-series: DS111, DS211, DS211+, DS211j, DS411, DS411slim, DS411j, RS411 10-series: DS110j, DS210j, DS410j ]]> Fri, 19 Feb 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5644_update_5 Photo Station 6.3-2963 https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2963 Package Center, and install the latest version 6.3-2963 of Photo Station package to protect your Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, and install the latest version 6.0-2639 of Photo Station package to protect your Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]> Fri, 29 Jan 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2963 Video Station 1.5-0775 https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0775 Package Center, and install the latest version 1.5-0775 of Video Station package to protect Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, and install the latest version 1.6-0850 of Video Station package to protect Synology NAS from malicious attacks: DS216play, DS716+. ]]> Mon, 25 Jan 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0775 Audio Station 5.4-2860 https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2860 Package Center, and install the latest version 5.4-2860 of Audio Station package to protect Synology NAS from malicious attacks. ]]> Mon, 25 Jan 2016 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2860 Photo Station 6.3-2962 https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2962 Package Center, install the latest version 6.3-2962 of Photo Station package to protect Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.0-2638 of Photo Station package to protect Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]> Mon, 14 Dec 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2962 Note Station 1.1-0214 https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_0214 Package Center, install the latest version 1.1-0214 of Note Station package to protect Synology NAS from malicious attacks. ]]> Mon, 14 Dec 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_0214 Video Station 1.5-0772 https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0772 Package Center, and install the latest version 1.5-0772 of Video Station package to protect Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, and install the latest version 1.6-0847 of Video Station package to protect Synology NAS from malicious attacks: DS216play, DS716+. For the following models, please go to DSM > Package Center, and install the latest version 1.2-0455 of Video Station package to protect Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]> Fri, 11 Dec 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0772 Audio Station 5.4-2857 https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2857 Package Center, install the latest version 5.4-2857 of Audio Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 5.1-2550 of Audio Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]> Fri, 04 Dec 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2857 Magento 1.9.2.2-0033 https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_2_0033 Package Center and install Magento 1.9.2.2-0033 or above to protect Synology NAS from malicious attacks. ]]> Thu, 12 Nov 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_2_0033 Photo Station 6.3-2958 https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2958 Package Center, install the latest version 6.3-2958 of Photo Station package to protect DiskStation from malicious attacks. ]]> Tue, 06 Oct 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2958 Audio Station 5.4-2855 https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2855 Package Center, install the latest version 5.4-2855 of Audio Station package to protect DiskStation from malicious attacks. ]]> Tue, 06 Oct 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2855 Video Station 1.5-0763 https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0763 Package Center, install the latest version 1.5-0763 of Video Station package to protect DiskStation from malicious attacks. ]]> Fri, 11 Sep 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0763 Note Station 1.1-211 https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_211 Package Center, install the latest version 1.1-211 of Note Station package to protect DiskStation from malicious attacks. ]]> Fri, 11 Sep 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_211 Download Station 3.5-2967 https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2967 Package Center, install the latest version 3.5-2967 of Download Station package to protect DiskStation from malicious attacks. ]]> Fri, 11 Sep 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2967 DSM 5.2-5592 Update 4 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592_update_4 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 4 or above to protect your Synology NAS from malicious attacks. ]]> Mon, 07 Sep 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592_update_4 Important Information: /usr/syno/bin/zip was wrongly quarantined by Antivirus Essential https://www.synology.cn/zh-cn/support/security/Antivirus_Essential_08_28 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 4 and above. If the problem remains unresolved, please visit https://www.synology.com/support/support_form.php for further assistance. ]]> Fri, 28 Aug 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Antivirus_Essential_08_28 WordPress 4.2.4-039 https://www.synology.cn/zh-cn/support/security/WordPress_4_2_4_039 Package Center and install WordPress 4.2.4-039 or above to protect Synology NAS from malicious attacks. ]]> Thu, 20 Aug 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/WordPress_4_2_4_039 Magento 1.9.2.0-0029 https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_0_0029 Package Center and install Magento 1.9.2.0-0029 or above to protect DiskStation from malicious attacks. ]]> Thu, 16 Jul 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_0_0029 Asterisk 13.1.0-0063 https://www.synology.cn/zh-cn/support/security/Asterisk_13_1_0_0063 Package Center and install Asterisk 13.1.0-0063 or above to protect DiskStation from malicious attacks. ]]> Thu, 16 Jul 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Asterisk_13_1_0_0063 Important Information about OpenSSL Alternative Chains Certificate Forgery Vulnerability: CVE-2015-1793 https://www.synology.cn/zh-cn/support/security/OpenSSL_2015_1793 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 1 or above to protect your DiskStation from malicious attacks. ]]> Mon, 13 Jul 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/OpenSSL_2015_1793 Download Station 3.5-2963 https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2963 Package Center, install the latest version 3.5-2963 of Download Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 3.5-2490 of Download Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, and RS409(RP)+. ]]> Mon, 06 Jul 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2963 Photo Station 6.3-2953 https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2953 Package Center, install the latest version 6.3-2953 of Photo Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.0-2636 of Photo Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]> Wed, 01 Jul 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2953 DSM 5.2-5592 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 or above to protect your Synology NAS from malicious attacks. Completing this update will automatically restart your system. ]]> Wed, 01 Jul 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592 Video Station 1.5-0757 https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0757 Package Center, install the latest version 1.5-0757 of Video Station package to protect DiskStation from malicious attacks. ]]> Fri, 26 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0757 PACS 2.18.0-0010 https://www.synology.cn/zh-cn/support/security/PACS_2_18_0_0010 Package Center and install PACS 2.18.0-0010 to protect DiskStation from malicious attacks. ]]> Fri, 26 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/PACS_2_18_0_0010 Moodle 2.91-0036 https://www.synology.cn/zh-cn/support/security/Moodle_2_91_0036 Package Center and install Moodle 2.91-0036 to protect DiskStation from malicious attacks. ]]> Fri, 26 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Moodle_2_91_0036 MariaDB 5.5.43-0033 https://www.synology.cn/zh-cn/support/security/MariaDB_5_5_43_0033 Package Center and install MariaDB 5.5.43-0033 to protect DiskStation from malicious attacks. ]]> Fri, 26 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/MariaDB_5_5_43_0033 Drupal 7.38-0037 https://www.synology.cn/zh-cn/support/security/Drupal_7_38_0037 Package Center and install Drupal 7.38-0037 to protect DiskStation from malicious attacks. ]]> Fri, 26 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Drupal_7_38_0037 Download Station 3.5-2962 https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2962 Package Center, install the latest version 3.5-2962 of Download Station package to protect DiskStation from malicious attacks. ]]> Fri, 26 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2962 DSM 5.2-5565 Update 2 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_2 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5565 Update 2 or above to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]> Tue, 09 Jun 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_2 Photo Station 3.5-2945 https://www.synology.cn/zh-cn/support/security/Photo_Station_3_5_2945 Package Center, install the latest version 6.3-2945 of Photo Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.0-2635 of Photo Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+ . ]]> Fri, 29 May 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_3_5_2945 DSM 5.2-5565 Update 1 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_1 Control Panel > Update & Restore > DSM Update and install DSM 5.2-5565 Update 1 or above to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]> Thu, 21 May 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_1 Important Information about Vulnerability CVE-2015-0240 https://www.synology.cn/zh-cn/support/security/SAMBA Security > Firewall helps prevent unauthorized login and control service access. Update availability This vulnerability has been addressed in the release of DSM 5.1-5022 Update 3 for x10, x11, x12, x13, x14, and x15 series. Update for DSM 4.2 for x09 series will be released by the end of March. x08 (and older) series are not affected by this vulnerability. ]]> Thu, 26 Feb 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/SAMBA Important Information about GLIBC Vulnerability “GHOST” (CVE-2015-0235) https://www.synology.cn/zh-cn/support/security/ghost Control Panel > Update & Restore> DSM Update and install the latest update to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]> Fri, 30 Jan 2015 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/ghost DSM 5.1-5021 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_1_5021 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]> Tue, 16 Dec 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_1_5021 VPN Server 1.2-2427 https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2427 Package Center and install the latest VPN Server update to protect your Synology NAS from malicious attacks. ]]> Fri, 12 Dec 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2427 Important Information about POODLE Vulnerability (CVE-2014-3566) https://www.synology.cn/zh-cn/support/security/POODLE_Vulnerability Control Panel > Update & Restore> DSM Update and install the latest updates. Completing this update will automatically restart your system. ]]> Tue, 28 Oct 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/POODLE_Vulnerability DSM 5.0-4627 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4627 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]> Wed, 22 Oct 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4627 DSM 5.0-4528 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4528 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]> Wed, 22 Oct 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4528 Important Information about Bash Vulnerability "ShellShock" (CVE-2014-6271 and CVE-2014-7169) https://www.synology.cn/zh-cn/support/security/bash_shellshock Control Panel > Update & Restore> DSM Update (DSM > Control Panel > DSM Update if your Synology NAS is running DSM 4.3) and install the latest updates to protect your NAS from malicious attacks. ]]> Fri, 26 Sep 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/bash_shellshock DSM 5.0-4493 Update 5 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_5 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. ]]> Tue, 09 Sep 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_5 DSM 4.3-3827 Update 7 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_7 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Tue, 09 Sep 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_7 DSM 4.2-3252 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3252 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Tue, 09 Sep 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3252 DSM 4.0-2265 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2265 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Tue, 09 Sep 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2265 DSM 3.1-1639 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_3_1_1639 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Tue, 09 Sep 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_3_1_1639 DSM 4.0-2264 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2264 Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks. ]]> Wed, 27 Aug 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2264 DSM 5.0-4493 Update 4 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_4 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your Synology NAS from malicious attacks. ]]> Tue, 26 Aug 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_4 DSM 4.3-3827 Update 6 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_6 Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks. ]]> Tue, 26 Aug 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_6 DSM 4.2-3251 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3251 Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks. ]]> Tue, 26 Aug 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3251 Important Information about Ransomware SynoLocker Threat https://www.synology.cn/zh-cn/support/security/SynoLocker Resource Monitor).DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update. Suggestion For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support to confirm whether the system is infected. Please note Synology is unable to decrypt files that have already been encrypted.If you happen to possess a backup copy of your files (or there are no critical files stored on your DiskStation), we recommend following the below steps to reset your DiskStation and re-install DSM. However, resetting the DiskStation removes the information required for decryption, so encrypted files cannot be decrypted afterward.Follow the steps in this tutorial to reset your DiskStation: http://www.synology.com/support/tutorials/493#t3The latest version of DSM can be downloaded from our Download Center here: http://www.synology.com/downloadOnce DSM has been re-installed, log in and restore your backup data. For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:DSM 4.3-3827 or laterDSM 4.2-3243 or laterDSM 4.0-2259 or laterDSM 3.x or earlier is not affectedUsers can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update. ]]> Thu, 07 Aug 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/SynoLocker DSM 5.0-4493 Update 3 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_3 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. ]]> Thu, 24 Jul 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_3 DSM 4.2-3250 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3250 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Wed, 16 Jul 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3250 DSM 4.3-3827 Update 4 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_4 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Wed, 25 Jun 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_4 DSM 5.0-4493 Update 1 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_1 Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. ]]> Wed, 11 Jun 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_1 DSM 5.0-4493 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493 Control Panel > Update & Restore > DSM Update page and install the latest updates to protect DiskStation from malicious attacks. ]]> Wed, 04 Jun 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493 DSM 5.0-4482 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4482 Control Panel > Update & Recovery > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 24 Apr 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4482 DSM 4.3-3827 Update 2 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_2 DSM Update, click Update Settings and select Important Updates Only to see and install the update.After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > DSM Settings > Certificate to check whether you have a third-party or self-signed certificate.For self-signed SSL certificate renewal: To renew your certificate using DSM, please go to Control Panel > DSM Settings > Certificate, click Create Certificate > Create self-signed certificate.Follow the instructions to complete self-signed certificate process.For third-party SSL certificate renewal: To renew your certificate via third-party certificate authority (CA), please go to Control Panel > DSM Settings > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.Use the CSR to acquire a new certificate from your CA.Go to Control Panel > DSM Settings > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt).As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users ]]> Mon, 21 Apr 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_2 VPN Server 1.2-2414 & 1.2-2318 https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2414_1_2_2318 Fri, 18 Apr 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2414_1_2_2318 DSM 4.2-3248 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3248 Control Panel > DSM Settings and install the latest update to protect your DiskStation from this vulnerability.After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > DSM Settings > Certificate to check whether you have a third-party or self-signed certificate.For self-signed SSL certificate renewal:To renew your certificate using DSM, please go to Control Panel > Security > Certificate, click Create Certificate > Create self-signed certificate.Follow the instructions to complete self-signed certificate process.For third-party SSL certificate renewal:To renew your certificate via third-party certificate authority (CA), please go to Control Panel > DSM Settings > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.Use the CSR to acquire a new certificate from your CA.Go to Control Panel > DSM Settings > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt). As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users. ]]> Tue, 15 Apr 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3248 DSM 5.0-4458 Update 2 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_2 Control Panel > DSM Update and install the latest update to protect your DiskStation from this vulnerability.After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > Security > Certificate to check whether you have a third-party or self-signed certificate.For self-signed SSL certificate renewal:To renew your certificate using DSM, please go to Control Panel > Security > Certificate, click Create Certificate > Create self-signed certificate.Follow the instructions to complete self-signed certificate process.For third-party SSL certificate renewal:To renew your certificate via third-party certificate authority (CA), please go to Control Panel > Security > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.Use the CSR to acquire a new certificate from your CA.Go to Control Panel > Security > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt). As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users. ]]> Thu, 10 Apr 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_2 DSM 5.0-4458 update 1 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_1 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 27 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_1 WordPress 3.81-018 https://www.synology.cn/zh-cn/support/security/WordPress_3_81_018 Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Mon, 24 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/WordPress_3_81_018 Photo Station-2632 https://www.synology.cn/zh-cn/support/security/Photo_Station_2632 Package Center, install the latest package updates to protect DiskStation from malicious attacks. ]]> Thu, 20 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/Photo_Station_2632 DSM 4.2-3247 https://www.synology.cn/zh-cn/support/security/DSM_4_2_3247 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 20 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/DSM_4_2_3247 DSM 4.0-2263 https://www.synology.cn/zh-cn/support/security/DSM_4_0_2263 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 20 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/DSM_4_0_2263 DSM 4.3-3827 Update 1 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_1 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Tue, 18 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_1 RADIUS Server 1.0-0028 https://www.synology.cn/zh-cn/support/security/hotfix_RADIUS_Server_1_0_0028 Package Center, install the latest package updates to protect DiskStation from malicious attacks. ]]> Tue, 04 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_RADIUS_Server_1_0_0028 VPN Server 1.2-2314 https://www.synology.cn/zh-cn/support/security/hotfix_VPN_Server_1_2_2314 Package Center, install the latest package updates to protect DiskStation from malicious attacks. ]]> Mon, 03 Mar 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_VPN_Server_1_2_2314 DSM 4.3-3827 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. Resolution of Update FailureIf your DiskStation/RackStation shows either or all of the symptoms below, it’s probably infected by malwares:Power LED light blinks blueCannot log in DSM. Error message: "System is getting ready..."Synology Assistant shows "Starting Services..."Status LED light blinks orange and Synology Assistant shows “Migratable” statusPlease note, damaged motherboard can also cause blue LED blinking, you could confirm the main board status with the following guide: http://www.synology.com/en-global/support/faq/366You need to upgrade to DSM 4.3-3827 (or the latest version of DSM for your model) to patch this security vulnerability. If you’re unsure how to execute the steps, please contact Synology support for further assistance.https://account.synology.com/support/support_form.phpThere are three solutions to this issue:Note: If you have ever encountered a message prompting you about the data is to be deleted, please stop proceeding further and contact Synology Support.[Solution 1] Use a spare disk - the settings and volume will stay intactRemove all disks when power is off.Insert a spare disk to your DiskStation/RackStation, boot up and install DSM 4.3-3827(or the latest version of DSM for your model), then power off.Remove the spare disk, and insert the original disks back.Synology Assistant will show "Migratable". Please right click DiskStation in Assistant > Install. Install DSM 4.3 3827 (or the latest version of DSM for your model) on the original disks.[Solution 2] Reinstall DSM - some settings will be lost, but the volume will stay intactPlease follow the Sec. 3 of the tutorial below to reinstall DSM: http://www.synology.com/support/tutorials/493#t3 Please ensure you Install DSM 4.3 3827 (or the latest version of DSM for your model)[Solution 3] Boot up without disks and contact usPlease perform the following actions:Remove all disks and try to install DSM with Synology Assistant. The process will stop at a point where telnet port 23 is enabled.Insert all disks back to DiskStation/RackStation while the power is still on.Make sure port 23 of your DiskStation is accessible from Internet. (Port forwarding for port 23 must be set up properly.)Provide your Internet IP address or DDNS name.Once the DiskStation/RackStation boots up properly, please manually Install DSM 4.3 3827 (or the latest version of DSM for your model) ASAP.After installing the latest DSM with security fix through the three solutions above, please go to the shared folder "Homes" > "admin" to remove the file named ".profile " if any.Upgrading to DSM 4.3 3827 (or the latest version of DSM for your model) is required to fix this issue. DiskStation/RackStation can stay vulnerable if the upgrades are not done properly. ]]> Fri, 14 Feb 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827 DSM 4.3-3810 Update 4 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3810_update_4 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 09 Jan 2014 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3810_update_4 DSM 4.2-3243 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3243 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 14 Nov 2013 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3243 DSM 4.0-2259 https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2259 Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]> Thu, 14 Nov 2013 00:00:00 +0800 security@synology.com (Synology Security Team) https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2259
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0">
<channel>
<title>Synology Product Security Advisory</title>
<link>https://www.synology.cn/zh-cn/support/security</link>
<description>
<![CDATA[ Synology Product Security Advisory Feed. ]]>
</description>
<atom:link href="https://www.synology.cn/api/rssfeed/security/zh-cn" rel="self" type="application/rss+xml"/>
<lastBuildDate>Thu, 21 Nov 2024 19:06:18 +0800</lastBuildDate>
<pubDate>Thu, 14 Nov 2024 16:28:21 +0800</pubDate>
<item>
<title>Synology-SA-24:24 Synology Camera (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_24</link>
<description>
<![CDATA[ Multipe vulnerabilities allow remote attackers to execute arbitrary code or execute arbitrary commands on a susceptible version of Synology Camera BC500 Firmware, Synology Camera CC400W Firmware and Synology Camera TC500 Firmware. The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25538) has been addressed. ]]>
</description>
<pubDate>Thu, 14 Nov 2024 16:28:21 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_24</guid>
</item>
<item>
<title>Synology-SA-24:23 BeeStation (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_23</link>
<description>
<![CDATA[ The vulnerability reported in ZDI-CAN-25403 allows remote attackers to execute arbitrary code. The vulnerability reported in ZDI-CAN-25613 allows remote attackers to read specific files. The vulnerability reported in ZDI-CAN-25617 allows adjacent man-in-the-middle attacker to write specific files. ]]>
</description>
<pubDate>Tue, 05 Nov 2024 15:16:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_23</guid>
</item>
<item>
<title>Synology-SA-24:22 Replication Service (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_22</link>
<description>
<![CDATA[ A vulnerability allows remote attacker to execute arbitrary commands via a susceptible version of Replication Service. The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25607) has been addressed. ]]>
</description>
<pubDate>Tue, 05 Nov 2024 15:16:05 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_22</guid>
</item>
<item>
<title>Synology-SA-24:21 Synology Drive Server (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_21</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to hijack web sessions and inject SQL commands via a susceptible version of Synology Drive Server. The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25613) has been addressed. Update of Synology Drive Server for DSM 7.2.1 and Synology Drive Server for DSM 7.1 will be published within 30 days. ]]>
</description>
<pubDate>Tue, 05 Nov 2024 15:15:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_21</guid>
</item>
<item>
<title>Synology-SA-24:20 DSM (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_20</link>
<description>
<![CDATA[ The vulnerability reported in ZDI-CAN-25403 allows remote attackers to execute arbitrary code. The vulnerability reported in ZDI-CAN-25613 allows remote attackers to read specific files. The vulnerability reported in ZDI-CAN-25617 allows adjacent man-in-the-middle attacker to write specific files. Updates of DSM 7.2.1, DSM 7.1 and DSMUC 3.1 will be published within 30 days. ]]>
</description>
<pubDate>Tue, 05 Nov 2024 15:15:05 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_20</guid>
</item>
<item>
<title>Synology-SA-24:19 Synology Photos (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_19</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code. The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25623) has been addressed. ]]>
</description>
<pubDate>Fri, 25 Oct 2024 13:55:04 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_19</guid>
</item>
<item>
<title>Synology-SA-24:18 BeePhotos (PWN2OWN 2024)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_18</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code. The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25623) has been addressed. ]]>
</description>
<pubDate>Fri, 25 Oct 2024 13:51:53 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_18</guid>
</item>
<item>
<title>Synology-SA-24:17 Synology Camera</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_17</link>
<description>
<![CDATA[ The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. ]]>
</description>
<pubDate>Fri, 18 Oct 2024 16:23:38 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_17</guid>
</item>
<item>
<title>Synology-SA-24:16 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_16</link>
<description>
<![CDATA[ Multiple vunerabilities allow remote authenticated users to read specific files containing non-sensitive information, remote authenticated users with admin privileges to execute arbitrary code, remote authenticated users with admin privileges to execute arbitrary commands and remote authenticated users with admin privileges to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Fri, 18 Oct 2024 13:43:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_16</guid>
</item>
<item>
<title>Synology-SA-24:15 BeeStation</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_15</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology BeeStation Manager (BSM). ]]>
</description>
<pubDate>Thu, 17 Oct 2024 14:23:28 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_15</guid>
</item>
<item>
<title>Synology-SA-24:14 Synology Photos</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_14</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to read specific files, remote authenticated users to delete specific files and remote authenticated users to obtain non-sensitive information. ]]>
</description>
<pubDate>Wed, 16 Oct 2024 13:55:20 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_14</guid>
</item>
<item>
<title>Synology-SA-24:13 BeePhotos</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_13</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to read specific files, remote authenticated users to delete specific files and remote authenticated users to obtain non-sensitive information. ]]>
</description>
<pubDate>Wed, 16 Oct 2024 13:54:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_13</guid>
</item>
<item>
<title>Synology-SA-24:12 GitLab</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_12</link>
<description>
<![CDATA[ A vulnerability allows remote attacker to bypass authentication via a susceptible version of GitLab. ]]>
</description>
<pubDate>Wed, 09 Oct 2024 08:51:30 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_12</guid>
</item>
<item>
<title>Synology-SA-24:11 Synology Active Backup for Business Agent</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_11</link>
<description>
<![CDATA[ Multiple vulnerabilities allow adjacent man-in-the-middle attackers to obtain user credential, local users to conduct denial-of-service attacks, and local users to obtain user credential via a susceptible version of Synology Active Backup for Business Agent. ]]>
</description>
<pubDate>Thu, 26 Sep 2024 11:39:39 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_11</guid>
</item>
<item>
<title>Synology-SA-24:10 Synology Drive Client</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_10</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to conduct denial-of-service attacks, remote authenticated users to obtain sensitive information, local users to execute arbitary commands, local users with administrator privileges to execute arbitary commands, and local users with administrator privileges to conduct denial-of-service attacks via a susceptible version of Synology Drive Client. ]]>
</description>
<pubDate>Thu, 26 Sep 2024 11:30:21 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_10</guid>
</item>
<item>
<title>Synology-SA-24:09 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_09</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Mon, 09 Sep 2024 11:51:10 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_09</guid>
</item>
<item>
<title>Synology-SA-24:08 regreSSHion</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_08</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2024-6387 as this vulnerability only affect OpenSSH versions before 4.4p1 and after 8.5p1. ]]>
</description>
<pubDate>Tue, 02 Jul 2024 14:25:22 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_08</guid>
</item>
<item>
<title>Synology-SA-24:07 Synology Camera</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_07</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct denial-of-service attack via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. ]]>
</description>
<pubDate>Mon, 27 May 2024 16:41:30 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_07</guid>
</item>
<item>
<title>Synology-SA-24:06 XZ Utils</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_06</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2024-3094 as this vulnerability only affect XZ Utils 5.6.0 and 5.6.1. ]]>
</description>
<pubDate>Mon, 01 Apr 2024 12:02:16 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_06</guid>
</item>
<item>
<title>Synology-SA-24:05 Synology Surveillance Station Client</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_05</link>
<description>
<![CDATA[ A vulnerability allows local users to execute arbitrary commands via a susceptible version of Synology Surveillance Station Client. ]]>
</description>
<pubDate>Thu, 28 Mar 2024 14:43:22 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_05</guid>
</item>
<item>
<title>Synology-SA-24:04 Surveillance Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_04</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to access intranet resources, bypass security constraints, conduct denial-of-service attacks, inject SQL commands, obtain privileges without consent, obtain sensitive information, and write specific files via a susceptible version of Surveillance Station. ]]>
</description>
<pubDate>Thu, 28 Mar 2024 14:07:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_04</guid>
</item>
<item>
<title>Synology-SA-24:03 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_03</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers or remote authenticated users to inject arbitrary web script or HTML, remote authenticated users to bypass security constraints, and remote authenticated users to read specific files via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Tue, 12 Mar 2024 14:15:45 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_03</guid>
</item>
<item>
<title>Synology-SA-24:02 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_02</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to conduct phishing attacks via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Wed, 24 Jan 2024 18:08:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_02</guid>
</item>
<item>
<title>Synology-SA-24:01 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_24_01</link>
<description>
<![CDATA[ A vulnerability allows local users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). Successful exploitation of this vulnerability requires a user to download a malicious patch from a non-official Synology download site and install it manually before the vulnerability can be exploited. ]]>
</description>
<pubDate>Tue, 09 Jan 2024 12:01:13 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_24_01</guid>
</item>
<item>
<title>Synology-SA-23:16 SRM (PWN2OWN 2023)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_16</link>
<description>
<![CDATA[ The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM). A vulnerability reported by PWN2OWN 2023 has been addressed. ]]>
</description>
<pubDate>Tue, 21 Nov 2023 10:19:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_16</guid>
</item>
<item>
<title>Synology-SA-23:15 Synology Camera (PWN2OWN 2023)</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_15</link>
<description>
<![CDATA[ The vulnerabilities allow remote attackers to execute arbitrary code and remote users to bypass security constraints via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. The vulnerabilities reported by PWN2OWN 2023 have been addressed. ]]>
</description>
<pubDate>Mon, 20 Nov 2023 17:47:11 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_15</guid>
</item>
<item>
<title>Synology-SA-23:14 HTTP/2 Rapid Reset Attack</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_14</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2023-44487. ]]>
</description>
<pubDate>Fri, 13 Oct 2023 14:13:17 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_14</guid>
</item>
<item>
<title>Synology-SA-23:13 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_13</link>
<description>
<![CDATA[ A vulnerability allow remote attackers to bypass security constraint via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 21 Sep 2023 15:01:42 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_13</guid>
</item>
<item>
<title>Synology-SA-23:12 Synology SSL VPN Client</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_12</link>
<description>
<![CDATA[ A vulnerability allows local users to conduct denial-of-service attack via a susceptible version of Synology SSL VPN Client. ]]>
</description>
<pubDate>Thu, 24 Aug 2023 17:57:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_12</guid>
</item>
<item>
<title>Synology-SA-23:11 Synology Camera</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_11</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. ]]>
</description>
<pubDate>Thu, 17 Aug 2023 19:07:37 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_11</guid>
</item>
<item>
<title>Synology-SA-23:10 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_10</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to read specific files, obtain sensitive information, and inject arbitrary web script or HTML, man-in-the-middle attackers to bypass security constraint, and remote authenticated users to execute arbitrary commands and conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 27 Jul 2023 14:58:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_10</guid>
</item>
<item>
<title>Synology-SA-23:09 Mail Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_09</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to potentially inject SQL commands and inject arbitrary web scripts or HTML via a susceptible version of Mail Station. ]]>
</description>
<pubDate>Tue, 27 Jun 2023 17:43:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_09</guid>
</item>
<item>
<title>Synology-SA-23:08 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_08</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Tue, 13 Jun 2023 11:40:16 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_08</guid>
</item>
<item>
<title>Synology-SA-23:07 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_07</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 13 Jun 2023 11:39:42 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_07</guid>
</item>
<item>
<title>Synology-SA-23:06 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_06</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Tue, 13 Jun 2023 11:36:51 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_06</guid>
</item>
<item>
<title>Synology-SA-23:05 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_05</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 13 Jun 2023 11:36:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_05</guid>
</item>
<item>
<title>Synology-SA-23:04 VPN Plus Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_04</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to inject SQL commands via a susceptible version of Synology VPN Plus Server. ]]>
</description>
<pubDate>Thu, 04 May 2023 15:09:58 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_04</guid>
</item>
<item>
<title>Synology-SA-23:03 Netatalk</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_03</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2022-43634. ]]>
</description>
<pubDate>Thu, 30 Mar 2023 16:37:45 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_03</guid>
</item>
<item>
<title>Synology-SA-23:02 Sudo</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_02</link>
<description>
<![CDATA[ A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 30 Mar 2023 16:17:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_02</guid>
</item>
<item>
<title>Synology-SA-23:01 ClamAV</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_23_01</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server. ]]>
</description>
<pubDate>Wed, 22 Feb 2023 15:13:35 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_23_01</guid>
</item>
<item>
<title>Synology-SA-22:26 VPN Plus Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_26</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server. ]]>
</description>
<pubDate>Fri, 30 Dec 2022 18:25:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_26</guid>
</item>
<item>
<title>Synology-SA-22:25 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_25</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 22 Dec 2022 13:44:47 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_25</guid>
</item>
<item>
<title>Synology-SA-22:24 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_24</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Mon, 19 Dec 2022 17:45:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_24</guid>
</item>
<item>
<title>Synology-SA-22:23 PWN2OWN TORONTO 2022</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_23</link>
<description>
<![CDATA[ Multiple vulnerabilities reported by PWN2OWN TORONTO 2022 have been addressed. ]]>
</description>
<pubDate>Thu, 08 Dec 2022 16:57:24 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_23</guid>
</item>
<item>
<title>Synology-SA-22:22 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_22</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2022-42898. ]]>
</description>
<pubDate>Thu, 17 Nov 2022 16:42:57 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_22</guid>
</item>
<item>
<title>Synology-SA-22:21 OpenSSL</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_21</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2022-3602 and CVE-2022-3786 as these vulnerabilities only affect OpenSSL 3.0 and later. ]]>
</description>
<pubDate>Wed, 02 Nov 2022 10:46:49 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_21</guid>
</item>
<item>
<title>Synology-SA-22:20 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_20</link>
<description>
<![CDATA[ CVE-2022-3437 allows remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology DiskStation Manager (DSM), SMB Service and Synology Directory Server. None of Synology's products are affected by CVE-2022-3592 as this vulnerability only affect Samba 4.17 and later. ]]>
</description>
<pubDate>Thu, 27 Oct 2022 13:44:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_20</guid>
</item>
<item>
<title>Synology-SA-22:19 Presto File Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_19</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to write arbitrary files or remote authenticated users to bypass security constraint via a susceptible version of Presto File Server. ]]>
</description>
<pubDate>Tue, 25 Oct 2022 10:56:25 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_19</guid>
</item>
<item>
<title>Synology-SA-22:18 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_18</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 25 Oct 2022 10:56:21 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_18</guid>
</item>
<item>
<title>Synology-SA-22:17 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_17</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to obtain sensitive information or execute arbitrary commands via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Thu, 20 Oct 2022 13:53:15 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_17</guid>
</item>
<item>
<title>Synology-SA-22:16 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_16</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2022-2906 as this vulnerability only affects ISC BIND 9.18.0 and later. None of Synology's products are affected by CVE-2022-3080, CVE-2022-38177, or CVE-2022-38178 as these vulnerabilities only affect when specific features are enabled. ]]>
</description>
<pubDate>Tue, 27 Sep 2022 11:39:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_16</guid>
</item>
<item>
<title>Synology-SA-22:15 GLPI</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_15</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers or remote authenticated users to obtain sensitive information, inject arbitrary web script or HTML or inject SQL command via a susceptible version of GLPI. ]]>
</description>
<pubDate>Fri, 16 Sep 2022 14:27:56 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_15</guid>
</item>
<item>
<title>Synology-SA-22:14 USB Copy</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_14</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to read or write arbitrary files via a susceptible version of USB Copy. ]]>
</description>
<pubDate>Wed, 03 Aug 2022 11:21:59 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_14</guid>
</item>
<item>
<title>Synology-SA-22:13 SSO Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_13</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of SSO Server. ]]>
</description>
<pubDate>Wed, 03 Aug 2022 11:15:26 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_13</guid>
</item>
<item>
<title>Synology-SA-22:12 Synology Note Station Client</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_12</link>
<description>
<![CDATA[ A vulnerability allows man-in-the-middle attackers to obtain sensitive information via a susceptible version of Synology Note Station Client. ]]>
</description>
<pubDate>Wed, 03 Aug 2022 10:44:45 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_12</guid>
</item>
<item>
<title>Synology-SA-22:11 Storage Analyzer</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_11</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of Storage Analyzer. ]]>
</description>
<pubDate>Wed, 03 Aug 2022 10:21:30 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_11</guid>
</item>
<item>
<title>Synology-SA-22:10 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_10</link>
<description>
<![CDATA[ CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synology's products are affected by CVE-2022-32745 as this vulnerability only affect Samba 4.13 and later. ]]>
</description>
<pubDate>Fri, 29 Jul 2022 15:12:19 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_10</guid>
</item>
<item>
<title>Synology-SA-22:09 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_09</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to inject SQL command or read and write arbitrary files via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 23 Jun 2022 13:49:58 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_09</guid>
</item>
<item>
<title>Synology-SA-22:08 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_08</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2022-1183 as this vulnerability only affect ISC BIND 9.18.0 and later. ]]>
</description>
<pubDate>Fri, 20 May 2022 11:36:27 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_08</guid>
</item>
<item>
<title>Synology-SA-22:07 Synology Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_07</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Synology Calendar. ]]>
</description>
<pubDate>Tue, 17 May 2022 14:18:27 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_07</guid>
</item>
<item>
<title>Synology-SA-22:06 Netatalk</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_06</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 28 Apr 2022 13:32:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_06</guid>
</item>
<item>
<title>Synology-SA-22:05 Spring4Shell</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_05</link>
<description>
<![CDATA[ None of Synology's products are affected as these vulnerabilities only affect products equipped with Spring Cloud Function or Spring Framework and Java Development Kit (JDK) versions 9 and later. ]]>
</description>
<pubDate>Wed, 06 Apr 2022 16:04:22 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_05</guid>
</item>
<item>
<title>Synology-SA-22:04 OpenSSL</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_04</link>
<description>
<![CDATA[ A vulnerability allow remote authenticated users to conduct denial-of-service attack via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. ]]>
</description>
<pubDate>Fri, 18 Mar 2022 17:49:23 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_04</guid>
</item>
<item>
<title>Synology-SA-22:03 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_03</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 22 Feb 2022 11:37:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_03</guid>
</item>
<item>
<title>Synology-SA-22:02 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_02</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Thu, 27 Jan 2022 18:50:45 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_02</guid>
</item>
<item>
<title>Synology-SA-22:01 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_22_01</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 11 Jan 2022 15:46:17 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_22_01</guid>
</item>
<item>
<title>Synology-SA-21:30 Log4Shell</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_30</link>
<description>
<![CDATA[ None of Synology's products are affected as these vulnerabilities only affect products equipped with log4j 2. ]]>
</description>
<pubDate>Mon, 13 Dec 2021 18:29:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_30</guid>
</item>
<item>
<title>Synology-SA-21:29 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_29</link>
<description>
<![CDATA[ CVE-2016-2124 and CVE-2020-25717 allow remote authenticated users and man-in-the-middle attackers to obtain sensitive information and bypass security constraint via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2020-25718, CVE-2020-25719, CVE-2020-25721, CVE-2020-25722, CVE-2021-3738 and CVE-2021-23192 allow remote authenticated users and man-in-the-middle attackers to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Wed, 17 Nov 2021 16:39:06 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_29</guid>
</item>
<item>
<title>Synology-SA-21:28 Mail Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_28</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Mail Station. ]]>
</description>
<pubDate>Tue, 16 Nov 2021 15:16:11 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_28</guid>
</item>
<item>
<title>Synology-SA-21:27 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_27</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology DNS Server. ]]>
</description>
<pubDate>Mon, 01 Nov 2021 18:33:53 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_27</guid>
</item>
<item>
<title>Synology-SA-21:26 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_26</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Photo Station. ]]>
</description>
<pubDate>Tue, 07 Sep 2021 10:03:01 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_26</guid>
</item>
<item>
<title>Synology-SA-21:25 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_25</link>
<description>
<![CDATA[ Multiple vulnerabilities allow local users to execute arbitrary commands via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 31 Aug 2021 15:10:26 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_25</guid>
</item>
<item>
<title>Synology-SA-21:24 OpenSSL</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_24</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server. ]]>
</description>
<pubDate>Thu, 26 Aug 2021 09:14:55 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_24</guid>
</item>
<item>
<title>Synology-SA-21:23 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_23</link>
<description>
<![CDATA[ None of Synology's products are affected by CVE-2021-25218 as this vulnerability only affect ISC BIND 9.16.19 and later. ]]>
</description>
<pubDate>Fri, 20 Aug 2021 10:43:23 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_23</guid>
</item>
<item>
<title>Synology-SA-21:22 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_22</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands, or remote attackers to write arbitrary files via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 17 Aug 2021 10:25:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_22</guid>
</item>
<item>
<title>Synology-SA-21:21 Audio Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_21</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary commands via a susceptible version of Audio Station. ]]>
</description>
<pubDate>Wed, 16 Jun 2021 16:05:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_21</guid>
</item>
<item>
<title>Synology-SA-21:20 FragAttacks</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_20</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to forge encrypted frames or conduct denial-of-service attacks or man-in-the-middle attackers to forge encrypted frames via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Wed, 12 May 2021 18:26:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_20</guid>
</item>
<item>
<title>Synology-SA-21:19 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_19</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Tue, 11 May 2021 14:23:32 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_19</guid>
</item>
<item>
<title>Synology-SA-21:18 Hyper Backup</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_18</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Hyper Backup. ]]>
</description>
<pubDate>Tue, 04 May 2021 11:10:37 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_18</guid>
</item>
<item>
<title>Synology-SA-21:17 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_17</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to bypass security constraint via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM). ]]>
</description>
<pubDate>Mon, 03 May 2021 10:54:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_17</guid>
</item>
<item>
<title>Synology-SA-21:16 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_16</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology DNS Server. ]]>
</description>
<pubDate>Mon, 03 May 2021 10:34:51 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_16</guid>
</item>
<item>
<title>Synology-SA-21:15 Antivirus Essential</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_15</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to obtain privileges without consent via a susceptible version of Antivirus Essential. ]]>
</description>
<pubDate>Wed, 28 Apr 2021 08:12:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_15</guid>
</item>
<item>
<title>Synology-SA-21:14 OpenSSL</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_14</link>
<description>
<![CDATA[ None of Synology's products are affected as these vulnerabilities only affect OpenSSL 1.1.1 and later. ]]>
</description>
<pubDate>Mon, 29 Mar 2021 08:56:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_14</guid>
</item>
<item>
<title>Synology-SA-21:13 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_13</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers and remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Fri, 26 Mar 2021 15:29:59 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_13</guid>
</item>
<item>
<title>Synology-SA-21:12 Synology Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_12</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Calendar. ]]>
</description>
<pubDate>Tue, 23 Mar 2021 11:43:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_12</guid>
</item>
<item>
<title>Synology-SA-21:11 Download Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_11</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. ]]>
</description>
<pubDate>Tue, 09 Mar 2021 08:28:24 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_11</guid>
</item>
<item>
<title>Synology-SA-21:10 Media Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_10</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server. ]]>
</description>
<pubDate>Tue, 09 Mar 2021 08:27:59 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_10</guid>
</item>
<item>
<title>Synology-SA-21:09 WebDAV Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_09</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of WebDAV Server. ]]>
</description>
<pubDate>Tue, 23 Feb 2021 11:18:19 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_09</guid>
</item>
<item>
<title>Synology-SA-21:08 Docker</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_08</link>
<description>
<![CDATA[ A vulnerability allows local users to read or write arbitrary files via a susceptible version of Docker. ]]>
</description>
<pubDate>Tue, 23 Feb 2021 11:18:06 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_08</guid>
</item>
<item>
<title>Synology-SA-21:07 LDAP Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_07</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Tue, 23 Feb 2021 11:17:51 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_07</guid>
</item>
<item>
<title>Synology-SA-21:06 CardDAV Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_06</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary SQL commands via a susceptible version of CardDAV Server. ]]>
</description>
<pubDate>Tue, 23 Feb 2021 11:17:26 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_06</guid>
</item>
<item>
<title>Synology-SA-21:05 Audio Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_05</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Audio Station. ]]>
</description>
<pubDate>Tue, 23 Feb 2021 09:52:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_05</guid>
</item>
<item>
<title>Synology-SA-21:04 Video Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_04</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to access intranet resources via a susceptible version of Video Station. ]]>
</description>
<pubDate>Tue, 23 Feb 2021 09:17:09 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_04</guid>
</item>
<item>
<title>Synology-SA-21:03 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_03</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to obtain sensitive information or local users to execute arbitrary code via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 23 Feb 2021 09:15:43 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_03</guid>
</item>
<item>
<title>Synology-SA-21:02 Sudo</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_02</link>
<description>
<![CDATA[ A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Mon, 22 Feb 2021 10:44:30 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_02</guid>
</item>
<item>
<title>Synology-SA-21:01 DNSpooq</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_21_01</link>
<description>
<![CDATA[ CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686 allow remote attackers to conduct spoofing attacks via a susceptible version of DiskStation Manager (DSM) and Synology Router Manager (SRM). None of Synology's products are affected by CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687 as these vulnerabilities only affect when DNSSEC is compiled. ]]>
</description>
<pubDate>Wed, 20 Jan 2021 10:22:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_21_01</guid>
</item>
<item>
<title>Synology-SA-20:29 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_29</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Tue, 29 Dec 2020 14:11:27 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_29</guid>
</item>
<item>
<title>Synology-SA-20:28 File Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_28</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to read arbitrary files via a susceptible version of File Station. ]]>
</description>
<pubDate>Tue, 15 Dec 2020 15:20:59 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_28</guid>
</item>
<item>
<title>Synology-SA-20:27 DNS Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_27</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to delete arbitrary files via a susceptible version of DNS Server. ]]>
</description>
<pubDate>Tue, 08 Dec 2020 14:29:55 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_27</guid>
</item>
<item>
<title>Synology-SA-20:26 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_26</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Thu, 26 Nov 2020 11:52:20 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_26</guid>
</item>
<item>
<title>Synology-SA-20:25 Safe Access</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_25</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Safe Access. ]]>
</description>
<pubDate>Tue, 24 Nov 2020 11:52:27 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_25</guid>
</item>
<item>
<title>Synology-SA-20:24 Media Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_24</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Media Server. ]]>
</description>
<pubDate>Tue, 20 Oct 2020 16:00:49 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_24</guid>
</item>
<item>
<title>Synology-SA-20:23 Download Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_23</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station. ]]>
</description>
<pubDate>Tue, 20 Oct 2020 15:58:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_23</guid>
</item>
<item>
<title>Synology-SA-20:22 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_22</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to bypass security constraints via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 24 Sep 2020 10:28:53 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_22</guid>
</item>
<item>
<title>Synology-SA-20:21 Zerologon</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_21</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Thu, 17 Sep 2020 17:05:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_21</guid>
</item>
<item>
<title>Synology-SA-20:20 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_20</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Photo Station. ]]>
</description>
<pubDate>Tue, 15 Sep 2020 16:25:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_20</guid>
</item>
<item>
<title>Synology-SA-20:19 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_19</link>
<description>
<![CDATA[ CVE-2020-8622 allows remote authenticated users to conduct denial-of-service attacks via a susceptible version of DNS Server. None of Synology's products are affected by CVE-2020-8620, CVE-2020-8621, CVE-2020-8623, or CVE-2020-8624 as these vulnerabilities only affect ISC BIND 9.9.12 and later. ]]>
</description>
<pubDate>Mon, 24 Aug 2020 18:32:20 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_19</guid>
</item>
<item>
<title>Synology-SA-20:18 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_18</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to conduct man-in-the-middle attacks via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Thu, 16 Jul 2020 12:14:19 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_18</guid>
</item>
<item>
<title>Synology-SA-20:17 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_17</link>
<description>
<![CDATA[ CVE-2020-10745 and CVE-2020-14303 allow remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synology's products are affected by CVE-2020-10730 or CVE-2020-10760 as these vulnerabilities only affect Samba 4.5.0 and later. ]]>
</description>
<pubDate>Mon, 06 Jul 2020 18:34:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_17</guid>
</item>
<item>
<title>Synology-SA-20:16 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_16</link>
<description>
<![CDATA[ None of Synology's products are affected as these vulnerabilities only affect ISC BIND 9.11.14 and later. ]]>
</description>
<pubDate>Fri, 19 Jun 2020 18:27:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_16</guid>
</item>
<item>
<title>Synology-SA-20:15 Ripple20</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_15</link>
<description>
<![CDATA[ None of Synology's products are affected as these vulnerabilities only affect products equipped with Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). ]]>
</description>
<pubDate>Thu, 18 Jun 2020 18:48:28 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_15</guid>
</item>
<item>
<title>Synology-SA-20:14 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_14</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 18 Jun 2020 14:49:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_14</guid>
</item>
<item>
<title>Synology-SA-20:13 CallStranger</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_13</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attack via a susceptible version of Synology Router Manager (SRM) or Media Server. ]]>
</description>
<pubDate>Tue, 16 Jun 2020 18:39:57 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_13</guid>
</item>
<item>
<title>Synology-SA-20:12 NXNSAttack</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_12</link>
<description>
<![CDATA[ CVE-2020-8616 allows remote attackers to conduct denial-of-service attacks via a susceptible version of DNS Server. None of Synology's products are affected as CVE-2020-12662 only affects when Unbound DNS resolver is enabled. ]]>
</description>
<pubDate>Thu, 21 May 2020 19:37:26 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_12</guid>
</item>
<item>
<title>Synology-SA-20:11 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_11</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Mon, 04 May 2020 17:57:19 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_11</guid>
</item>
<item>
<title>Synology-SA-20:10 WordPress</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_10</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a susceptible version of WordPress. ]]>
</description>
<pubDate>Mon, 04 May 2020 17:48:13 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_10</guid>
</item>
<item>
<title>Synology-SA-20:09 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_09</link>
<description>
<![CDATA[ CVE-2020-10704 allows to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synology products are affected by CVE-2020-10700 as this vulnerability only affect Samba 4.10.0 and later. ]]>
</description>
<pubDate>Wed, 29 Apr 2020 18:27:50 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_09</guid>
</item>
<item>
<title>Synology-SA-20:08 Cloud Station Backup</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_08</link>
<description>
<![CDATA[ A vulnerability allows local users to execute arbitrary code via a susceptible version of Cloud Station Backup. ]]>
</description>
<pubDate>Wed, 29 Apr 2020 18:25:10 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_08</guid>
</item>
<item>
<title>Synology-SA-20:07 Synology Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_07</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to download arbitrary files or hijack the authentication of administrators via a susceptible version of Synology Calendar. ]]>
</description>
<pubDate>Wed, 29 Apr 2020 18:23:24 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_07</guid>
</item>
<item>
<title>Synology-SA-20:06 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_06</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to conduct denial-of-service attacks or obtain user credentials via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Wed, 29 Apr 2020 18:22:25 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_06</guid>
</item>
<item>
<title>Synology-SA-20:05 OpenSSL</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_05</link>
<description>
<![CDATA[ None of Synology's Products are affected as CVE-2020-1967 only affects OpenSSL 1.1.1 and later. ]]>
</description>
<pubDate>Fri, 24 Apr 2020 18:53:52 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_05</guid>
</item>
<item>
<title>Synology-SA-20:04 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_04</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Drupal. ]]>
</description>
<pubDate>Mon, 30 Mar 2020 17:05:58 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_04</guid>
</item>
<item>
<title>Synology-SA-20:03 Kr00k</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_03</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology Router Manager (SRM) that is equipped with Broadcom BCM43460. ]]>
</description>
<pubDate>Wed, 11 Mar 2020 19:08:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_03</guid>
</item>
<item>
<title>Synology-SA-20:02 PPP</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_02</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM). ]]>
</description>
<pubDate>Fri, 06 Mar 2020 10:40:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_02</guid>
</item>
<item>
<title>Synology-SA-20:01 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_20_01</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to bypass security constraints via a susceptible version of Synology Directory Server or allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM). None of Synology products are affected by CVE-2019-19344 as the vulnerability only affects Samba 4.9 and later. ]]>
</description>
<pubDate>Wed, 22 Jan 2020 17:52:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_20_01</guid>
</item>
<item>
<title>Synology-SA-19:43 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_43</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Drupal. ]]>
</description>
<pubDate>Mon, 23 Dec 2019 13:27:15 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_43</guid>
</item>
<item>
<title>Synology-SA-19:42 Intel Processor Vulnerability</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_42</link>
<description>
<![CDATA[ A vulnerability allows local users to conduct denial-of-service attacks, obtain sensitive information, or conduct privilege escalation attacks via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Fri, 20 Dec 2019 15:08:42 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_42</guid>
</item>
<item>
<title>Synology-SA-19:41 WordPress</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_41</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML or bypass security constraint via a susceptible version of WordPress. ]]>
</description>
<pubDate>Fri, 20 Dec 2019 15:08:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_41</guid>
</item>
<item>
<title>Synology-SA-19:40 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_40</link>
<description>
<![CDATA[ CVE-2019-14861 and CVE-2019-14870 allow remote authenticated users to conduct denial-of-service attacks or bypass security constraints via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Thu, 12 Dec 2019 08:57:52 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_40</guid>
</item>
<item>
<title>Synology-SA-19:39 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_39</link>
<description>
<![CDATA[ None of Synology products are affected by CVE-2019-6477 as this vulnerability only affect ISC BIND 9.11.0 and later. ]]>
</description>
<pubDate>Tue, 26 Nov 2019 16:56:55 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_39</guid>
</item>
<item>
<title>Synology-SA-19:38 Synology Assistant</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_38</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Assistant. ]]>
</description>
<pubDate>Tue, 12 Nov 2019 14:33:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_38</guid>
</item>
<item>
<title>Synology-SA-19:37 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_37</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands or conduct denial-of-service attacks, or allow remote attackers to delete arbitrary files via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 05 Nov 2019 15:29:10 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_37</guid>
</item>
<item>
<title>Synology-SA-19:36 PHP</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_36</link>
<description>
<![CDATA[ CVE-2019-11043 allows remote attackers to execute arbitrary code via a susceptible version of PHP 7.2, or PHP 7.3. ]]>
</description>
<pubDate>Fri, 01 Nov 2019 12:47:01 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_36</guid>
</item>
<item>
<title>Synology-SA-19:35 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_35</link>
<description>
<![CDATA[ These vulnerabilities allow remote attackers to bypass security constraints via a susceptible version of DiskStation Manager (DSM), Synology Router Manager (SRM), and allow remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. ]]>
</description>
<pubDate>Wed, 30 Oct 2019 18:23:58 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_35</guid>
</item>
<item>
<title>Synology-SA-19:34 WordPress</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_34</link>
<description>
<![CDATA[ These vulnerabilities allow remote attackers to inject arbitrary web script or HTML, obtain sensitive information, or access intranet resources via a susceptible version of WordPress. ]]>
</description>
<pubDate>Fri, 18 Oct 2019 19:39:50 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_34</guid>
</item>
<item>
<title>Synology-SA-19:33 HTTP/2 DoS Attacks</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_33</link>
<description>
<![CDATA[ CVE-2019-9511, CVE-2019-9513 and CVE-2019-9516 allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM). ]]>
</description>
<pubDate>Wed, 14 Aug 2019 17:48:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_33</guid>
</item>
<item>
<title>Synology-SA-19:32 SWAPGS Spectre Side-Channel Attack</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_32</link>
<description>
<![CDATA[ The vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager. ]]>
</description>
<pubDate>Thu, 08 Aug 2019 18:21:05 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_32</guid>
</item>
<item>
<title>Synology-SA-19:31 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_31</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to set a new password without verification via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Wed, 24 Jul 2019 18:13:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_31</guid>
</item>
<item>
<title>Synology-SA-19:30 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_30</link>
<description>
<![CDATA[ None of Synology products are affected by CVE-2019-6342 as this vulnerability only affects Drupal 8.7.4. ]]>
</description>
<pubDate>Fri, 19 Jul 2019 17:36:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_30</guid>
</item>
<item>
<title>Synology-SA-19:29 Tomcat</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_29</link>
<description>
<![CDATA[ None of Synology products are affected by CVE-2019-10072 as the vulnerability only affects Tomcat 8.5 and later. ]]>
</description>
<pubDate>Mon, 24 Jun 2019 18:07:18 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_29</guid>
</item>
<item>
<title>Synology-SA-19:28 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_28</link>
<description>
<![CDATA[ CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479 allow remote attackers to conduct denial-of-service attacks via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM). ]]>
</description>
<pubDate>Fri, 21 Jun 2019 17:59:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_28</guid>
</item>
<item>
<title>Synology-SA-19:27 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_27</link>
<description>
<![CDATA[ None of Synology products are affected by CVE-2019-12435 and CVE-2019-12436 as these vulnerabilities only affect Samba 4.9 and later. ]]>
</description>
<pubDate>Fri, 21 Jun 2019 17:16:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_27</guid>
</item>
<item>
<title>Synology-SA-19:26 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_26</link>
<description>
<![CDATA[ These vulnerabilities allow remote attackers to obtain sensitive information or modify system settings via a susceptible version of Photo Station. ]]>
</description>
<pubDate>Tue, 11 Jun 2019 16:04:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_26</guid>
</item>
<item>
<title>Synology-SA-19:25 Virtual Machine Manager</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_25</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to bypass security constraints via a susceptible version of Virtual Machine Manager. ]]>
</description>
<pubDate>Thu, 23 May 2019 13:55:15 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_25</guid>
</item>
<item>
<title>Synology-SA-19:24 Microarchitectural Data Sampling</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_24</link>
<description>
<![CDATA[ CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091 allow local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) running on an Intel CPU or even if in Virtual Machine Manager. ]]>
</description>
<pubDate>Wed, 15 May 2019 18:59:52 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_24</guid>
</item>
<item>
<title>Synology-SA-19:23 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_23</link>
<description>
<![CDATA[ CVE-2018-16860 allows man-in-the-middle attackers to bypass security constraints via a susceptible version of Directory Server for Windows Domain. ]]>
</description>
<pubDate>Wed, 15 May 2019 16:06:59 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_23</guid>
</item>
<item>
<title>Synology-SA-19:22 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_22</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Drupal and Drupal8. ]]>
</description>
<pubDate>Fri, 10 May 2019 13:59:40 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_22</guid>
</item>
<item>
<title>Synology-SA-19:21 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_21</link>
<description>
<![CDATA[ A vulnerability allows local users to obtain sensitive information via a susceptible version of Calendar. ]]>
</description>
<pubDate>Thu, 09 May 2019 13:30:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_21</guid>
</item>
<item>
<title>Synology-SA-19:20 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_20</link>
<description>
<![CDATA[ CVE-2018-5743 allows remote attackers to conduct denial-of-service attacks via a susceptible version of DNS Server. DNS Server is not affected by CVE-2019-6467 and CVE-2019-6468 as these vulnerabilities only affect ISC BIND 9.10.5 and later. ]]>
</description>
<pubDate>Fri, 26 Apr 2019 13:44:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_20</guid>
</item>
<item>
<title>Synology-SA-19:19 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_19</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML, execute arbitrary code or bypass security constraints via a susceptible version of Drupal and Drupal8. ]]>
</description>
<pubDate>Thu, 18 Apr 2019 18:15:18 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_19</guid>
</item>
<item>
<title>Synology-SA-19:18 Broadcom Wi-Fi Driver</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_18</link>
<description>
<![CDATA[ CVE-2019-9501 and CVE-2019-9502 allow remote attackers to conduct denial-of-service attacks or execute arbitrary code via a susceptible version of Synology Router Manager (SRM) on RT1900ac model. RT1900ac is not affected by CVE-2019-9500 and CVE-2019-9503 as it does not employ the open-source brcmfmac driver. ]]>
</description>
<pubDate>Thu, 18 Apr 2019 11:51:52 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_18</guid>
</item>
<item>
<title>Synology-SA-19:17 Tomcat</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_17</link>
<description>
<![CDATA[ Since CVE-2019-0232 only affects when Tomcat is deployed on Microsoft Windows, none of the Synology products are affected as Synology Tomcat7 and Tomcat6 are restricted to execute on DiskStation Manager (DSM). ]]>
</description>
<pubDate>Wed, 17 Apr 2019 17:42:06 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_17</guid>
</item>
<item>
<title>Synology-SA-19:16 Dragonblood</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_16</link>
<description>
<![CDATA[ Dragonblood attacks, CVE-2019-9494, and CVE-2019-9496 allow remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology Router Manager (SRM). CVE-2019-9495, CVE-2019-9497, CVE-2019-9498, and CVE-2019-9499 allow remote attackers to obtain sensitive information via a susceptible version of RADIUS Server. ]]>
</description>
<pubDate>Thu, 11 Apr 2019 14:12:42 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_16</guid>
</item>
<item>
<title>Synology-SA-19:15 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_15</link>
<description>
<![CDATA[ CVE-2019-3880 allows remote authenticated users to create arbitrary files or obtain sensitive information via a susceptible version of DiskStation Manager (DSM) and Synology Router Manager (SRM). None of Synology products are affected by CVE-2019-3870 as the vulnerability only affect Samba 4.9.0 and later. ]]>
</description>
<pubDate>Tue, 09 Apr 2019 18:15:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_15</guid>
</item>
<item>
<title>Synology-SA-19:14 Apache HTTP Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_14</link>
<description>
<![CDATA[ CVE-2019-0211 allows local users to conduct privilege escalation attacks via a susceptible version of Apache HTTP server 2.4. ]]>
</description>
<pubDate>Wed, 03 Apr 2019 14:41:40 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_14</guid>
</item>
<item>
<title>Synology-SA-19:13 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_13</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Drupal. ]]>
</description>
<pubDate>Tue, 26 Mar 2019 17:27:02 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_13</guid>
</item>
<item>
<title>Synology-SA-19:12 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_12</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary commands via a susceptible version of Calendar. ]]>
</description>
<pubDate>Tue, 19 Mar 2019 15:10:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_12</guid>
</item>
<item>
<title>Synology-SA-19:11 Office</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_11</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Office. ]]>
</description>
<pubDate>Tue, 05 Mar 2019 14:01:22 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_11</guid>
</item>
<item>
<title>Synology-SA-19:10 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_10</link>
<description>
<![CDATA[ CVE-2019-6465 allow remote attackers to obtain sensitive information via s susceptible version of DNS Server. None of Synology products are affected by CVE-2018-5744 as this vulnerability only affect ISC BIND 9.10.7 and later. None of Synology products are affected by CVE-2018-5745 as this vulnerability only affect when DNSSEC feature is enabled. ]]>
</description>
<pubDate>Sat, 23 Feb 2019 15:44:24 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_10</guid>
</item>
<item>
<title>Synology-SA-19:09 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_09</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Drupal 8. ]]>
</description>
<pubDate>Fri, 22 Feb 2019 13:34:56 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_09</guid>
</item>
<item>
<title>Synology-SA-19:08 Note Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_08</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Note Station. ]]>
</description>
<pubDate>Tue, 19 Feb 2019 15:32:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_08</guid>
</item>
<item>
<title>Synology-SA-19:07 Marvell Avastar SoC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_07</link>
<description>
<![CDATA[ CVE-2019-6496 allows remote attackers to conduct denial-of-service attacks or execute arbitrary code. None of Synology's products are affected as CVE-2019-6496 only affects products equipped with Marvell Avastar SoC. ]]>
</description>
<pubDate>Fri, 15 Feb 2019 18:03:26 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_07</guid>
</item>
<item>
<title>Synology-SA-19:06 Docker</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_06</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary commands via a susceptible version of Docker. ]]>
</description>
<pubDate>Thu, 14 Feb 2019 15:10:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_06</guid>
</item>
<item>
<title>Synology-SA-19:05 Moments</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_05</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Moments. ]]>
</description>
<pubDate>Wed, 16 Jan 2019 17:26:58 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_05</guid>
</item>
<item>
<title>Synology-SA-19:04 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_04</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Calendar. ]]>
</description>
<pubDate>Tue, 15 Jan 2019 15:37:50 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_04</guid>
</item>
<item>
<title>Synology-SA-19:03 Surveillance Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_03</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Surveillance Station. ]]>
</description>
<pubDate>Tue, 15 Jan 2019 15:13:02 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_03</guid>
</item>
<item>
<title>Synology-SA-19:02 VS960HD</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_02</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of VS960HD. ]]>
</description>
<pubDate>Tue, 15 Jan 2019 15:12:24 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_02</guid>
</item>
<item>
<title>Synology-SA-19:01 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_19_01</link>
<description>
<![CDATA[ These vulnerabilities allow remote attackers to execute arbitrary SQL commands and remote authenticated users to upload arbitrary files via a susceptible version of Photo Station. ]]>
</description>
<pubDate>Wed, 02 Jan 2019 11:16:52 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_19_01</guid>
</item>
<item>
<title>Synology-SA-18:65 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_65</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Wed, 26 Dec 2018 15:23:11 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_65</guid>
</item>
<item>
<title>Synology-SA-18:64 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_64</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Diskstation Manager (DSM). ]]>
</description>
<pubDate>Wed, 26 Dec 2018 14:06:16 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_64</guid>
</item>
<item>
<title>Synology-SA-18:63 DS File</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_63</link>
<description>
<![CDATA[ A vulnerability allows local users to obtain sensitive information via a susceptible version of Android DS File. ]]>
</description>
<pubDate>Tue, 25 Dec 2018 14:08:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_63</guid>
</item>
<item>
<title>Synology-SA-18:62 Netatalk</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_62</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Diskstation Manager (DSM) and Synology Router Manager (SRM). ]]>
</description>
<pubDate>Fri, 21 Dec 2018 17:58:09 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_62</guid>
</item>
<item>
<title>Synology-SA-18:61 Magellan</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_61</link>
<description>
<![CDATA[ Magellan vulnerability allows remote authenticated users to conduct denial-of-service attacks or possibly execute arbitrary code via a susceptible version of Synology products. ]]>
</description>
<pubDate>Tue, 18 Dec 2018 11:58:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_61</guid>
</item>
<item>
<title>Synology-SA-18:60 Samba AD DC</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_60</link>
<description>
<![CDATA[ CVE-2018-16841 and CVE-2018-16851 allow remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Active Directory Server. None of Synology products are affected by CVE-2018-14629, CVE-2018-16852, CVE-2018-16853, and CVE-2018-16857 as these vulnerabilities only affect Samba 4.9.0 and later. ]]>
</description>
<pubDate>Wed, 28 Nov 2018 18:34:16 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_60</guid>
</item>
<item>
<title>Synology-SA-18:59 VS960HD</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_59</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of VS960HD. ]]>
</description>
<pubDate>Thu, 08 Nov 2018 16:06:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_59</guid>
</item>
<item>
<title>Synology-SA-18:58 Surveillance Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_58</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Surveillance Station. ]]>
</description>
<pubDate>Thu, 08 Nov 2018 16:05:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_58</guid>
</item>
<item>
<title>Synology-SA-18:57 BleedingBit</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_57</link>
<description>
<![CDATA[ CVE-2018-16986, a.k.a BleedingBit, allows remote attackers to execute arbitrary code via a susceptible version of Texas Instrument CC2640 or CC2650. None of Synology's products are affected as CVE-2018-16986 only affects products equipped with Texas Instrument CC2640 or CC2650. ]]>
</description>
<pubDate>Fri, 02 Nov 2018 14:28:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_57</guid>
</item>
<item>
<title>Synology-SA-18:56 DS Get</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_56</link>
<description>
<![CDATA[ A vulnerability allows local users to obtain sensitive information via a susceptible version of Android DS Get. ]]>
</description>
<pubDate>Wed, 24 Oct 2018 16:16:24 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_56</guid>
</item>
<item>
<title>Synology-SA-18:55 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_55</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM). ]]>
</description>
<pubDate>Wed, 17 Oct 2018 10:27:40 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_55</guid>
</item>
<item>
<title>Synology-SA-18:54 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_54</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Calendar. ]]>
</description>
<pubDate>Mon, 08 Oct 2018 16:42:03 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_54</guid>
</item>
<item>
<title>Synology-SA-18:53 Web Proxy Auto-Discovery</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_53</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct man-in-the-middle attack via a susceptible version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM). ]]>
</description>
<pubDate>Wed, 05 Sep 2018 23:52:05 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_53</guid>
</item>
<item>
<title>Synology-SA-18:52 Android Moments</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_52</link>
<description>
<![CDATA[ A vulnerability allows man-in-the-middle attackers to execute arbitrary code via a susceptible version of Android Moments. ]]>
</description>
<pubDate>Wed, 05 Sep 2018 15:17:58 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_52</guid>
</item>
<item>
<title>Synology-SA-18:51 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_51</link>
<description>
<![CDATA[ These vulnerabilities allow remote authenticated users to obtain sensitive information or inject arbitrary web script or HTML via s susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Wed, 29 Aug 2018 14:14:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_51</guid>
</item>
<item>
<title>Synology-SA-18:50 Drive</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_50</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Drive. ]]>
</description>
<pubDate>Mon, 27 Aug 2018 16:56:19 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_50</guid>
</item>
<item>
<title>Synology-SA-18:49 Ghostscript</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_49</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM) when the AirPrint feature is enabled. ]]>
</description>
<pubDate>Thu, 23 Aug 2018 13:52:41 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_49</guid>
</item>
<item>
<title>Synology-SA-18:48 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_48</link>
<description>
<![CDATA[ These vulnerabilities allow remote attackers or remote authenticated users to obtain sensitive information via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Mon, 20 Aug 2018 16:37:20 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_48</guid>
</item>
<item>
<title>Synology-SA-18:47 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_47</link>
<description>
<![CDATA[ CVE-2018-10858 allows man-in-the-middle attackers to execute arbitrary code via a susceptible version of Active Backup for Server. CVE-2018-10919 allows remote authenticated users to obtain sensitive information via a susceptible version of Active Directory Server. None of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and Directory Server are affected by CVE-2018-1139, CVE-2018-1140, or CVE-2018-10918 as these vulnerabilities only affect Samba 4.7 or above. ]]>
</description>
<pubDate>Thu, 16 Aug 2018 16:36:23 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_47</guid>
</item>
<item>
<title>Synology-SA-18:46 Internet Key Exchange v1</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_46</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Server or VPN Plus Server. ]]>
</description>
<pubDate>Wed, 15 Aug 2018 18:04:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_46</guid>
</item>
<item>
<title>Synology-SA-18:45 L1 Terminal Fault</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_45</link>
<description>
<![CDATA[ The L1 Terminal Fault (L1TF) vulnerability, a.k.a. Foreshadow attack, allows local users or guest OS users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) that are equipped with Intel CPU or Virtual Machine Manager. ]]>
</description>
<pubDate>Wed, 15 Aug 2018 17:00:49 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_45</guid>
</item>
<item>
<title>Synology-SA-18:44 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_44</link>
<description>
<![CDATA[ CVE-2018-5391, a.k.a. FragmentSmack attack, allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Diskstation Manager (DSM), SkyNAS or VS960HD. SRM 1.1 is not affected as CVE-2018-5391 only affects Linux kernel 3.9 or above. ]]>
</description>
<pubDate>Wed, 15 Aug 2018 13:17:16 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_44</guid>
</item>
<item>
<title>Synology-SA-18:43 MailPlus Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_43</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of MailPlus Server. ]]>
</description>
<pubDate>Tue, 14 Aug 2018 14:25:06 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_43</guid>
</item>
<item>
<title>Synology-SA-18:42 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_42</link>
<description>
<![CDATA[ CVE-2018-5740 allows remote attackers to conduct denial-of-service attacks via a susceptible version of ISC BIND. None of Synology products are affected as CVE-2018-5740 only affects when &quot;deny-answer-aliases&quot; feature is enabled. ]]>
</description>
<pubDate>Fri, 10 Aug 2018 13:59:39 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_42</guid>
</item>
<item>
<title>Synology-SA-18:41 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_41</link>
<description>
<![CDATA[ CVE-2018-5390, a.k.a. SegmentSmack attack, allows remote attackers to conduct denial-of-service attacks via a susceptible version of Linux kernel. None of Synology products are affected as CVE-2018-5390 only affects Linux kernel 4.9 and later. ]]>
</description>
<pubDate>Tue, 07 Aug 2018 11:13:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_41</guid>
</item>
<item>
<title>Synology-SA-18:40 Synology Application Service</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_40</link>
<description>
<![CDATA[ These vulnerabilities allow remote authenticated users to obtain sensitive information via a susceptible version of Synology Application Service. ]]>
</description>
<pubDate>Mon, 30 Jul 2018 14:36:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_40</guid>
</item>
<item>
<title>Synology-SA-18:39 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_39</link>
<description>
<![CDATA[ A vulnerability allows man-in-the-middle attackers to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Mon, 30 Jul 2018 10:29:39 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_39</guid>
</item>
<item>
<title>Synology-SA-18:38 Tomcat</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_38</link>
<description>
<![CDATA[ CVE-2018-1336 and CVE-2018-8034 allow remote attackers to conduct denial-of-service attacks or man-in-the-middle attackers to bypass security constraint via a susceptible version of Tomcat 6 and Tomcat 7. None of Synology products are affected by CVE-2018-8037 as it only affects Apache Tomcat 8.5.5 and later. ]]>
</description>
<pubDate>Tue, 24 Jul 2018 18:54:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_38</guid>
</item>
<item>
<title>Synology-SA-18:37 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_37</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to hijack web sessions via a susceptible version of Synology Photo Station. ]]>
</description>
<pubDate>Mon, 23 Jul 2018 10:32:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_37</guid>
</item>
<item>
<title>Synology-SA-18:36 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_36</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Thu, 12 Jul 2018 16:41:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_36</guid>
</item>
<item>
<title>Synology-SA-18:35 File Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_35</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology File Station. ]]>
</description>
<pubDate>Thu, 12 Jul 2018 10:00:23 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_35</guid>
</item>
<item>
<title>Synology-SA-18:34 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_34</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to execute arbitrary OS commands or obtain sensitive information via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Thu, 28 Jun 2018 11:59:22 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_34</guid>
</item>
<item>
<title>Synology-SA-18:33 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_33</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to execute arbitrary OS commands or obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM). ]]>
</description>
<pubDate>Mon, 25 Jun 2018 11:15:51 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_33</guid>
</item>
<item>
<title>Synology-SA-18:32 ISC BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_32</link>
<description>
<![CDATA[ CVE-2018-5738 allows remote attackers to obtain sensitive information from a susceptible version of ISC BIND. None of Synology products are affected as CVE-2018-5738 only affects ISC BIND 9.9.12 and later. ]]>
</description>
<pubDate>Thu, 14 Jun 2018 18:51:32 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_32</guid>
</item>
<item>
<title>Synology-SA-18:31 Lazy FP State Restore</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_31</link>
<description>
<![CDATA[ A vulnerability allows local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) that are equipped with Intel Core-based CPU. ]]>
</description>
<pubDate>Thu, 14 Jun 2018 16:31:41 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_31</guid>
</item>
<item>
<title>Synology-SA-18:30 SSL VPN Client</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_30</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct man-in-the-middle attacks via a susceptible version of SSL VPN Client. ]]>
</description>
<pubDate>Fri, 01 Jun 2018 15:08:53 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_30</guid>
</item>
<item>
<title>Synology-SA-18:29 Web Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_29</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct phishing attacks via a susceptible version of Web Station. ]]>
</description>
<pubDate>Fri, 01 Jun 2018 15:08:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_29</guid>
</item>
<item>
<title>Synology-SA-18:28 SSO Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_28</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct clickjacking attacks via a susceptible version of Synology SSO Server. ]]>
</description>
<pubDate>Thu, 31 May 2018 10:53:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_28</guid>
</item>
<item>
<title>Synology-SA-18:27 Universal Search</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_27</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to bypass permission checks for directories via a susceptible version of Synology Universal Search. ]]>
</description>
<pubDate>Thu, 31 May 2018 10:52:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_27</guid>
</item>
<item>
<title>Synology-SA-18:26 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_26</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Thu, 31 May 2018 10:52:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_26</guid>
</item>
<item>
<title>Synology-SA-18:25 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_25</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM). ]]>
</description>
<pubDate>Wed, 23 May 2018 14:08:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_25</guid>
</item>
<item>
<title>Synology-SA-18:24 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_24</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands or to set new password without verification via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Wed, 23 May 2018 14:07:44 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_24</guid>
</item>
<item>
<title>Synology-SA-18:23 Speculative Store Bypass</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_23</link>
<description>
<![CDATA[ These vulnerabilities allow local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM) that are equipped with Intel or ARM CPU. ]]>
</description>
<pubDate>Tue, 22 May 2018 14:39:53 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_23</guid>
</item>
<item>
<title>Synology-SA-18:22 EFAIL</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_22</link>
<description>
<![CDATA[ The EFAIL attacks allow remote attackers to reveal the plaintext of encrypted emails. Synology products are not affected because MailPlus, Android MailPlus, and iOS MailPlus do not render HTML for OpenPGP nor S/MIME messages. ]]>
</description>
<pubDate>Tue, 15 May 2018 19:16:15 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_22</guid>
</item>
<item>
<title>Synology-SA-18:21 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_21</link>
<description>
<![CDATA[ These vulnerabilities allow local users to conduct denial-of-service attacks via a susceptible version of DSM, Virtual DSM or SkyNAS. ]]>
</description>
<pubDate>Wed, 09 May 2018 12:52:28 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_21</guid>
</item>
<item>
<title>Synology-SA-18:20 PHP</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_20</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of PHP 5.6, PHP 7.0 or DSM 5.2. ]]>
</description>
<pubDate>Wed, 02 May 2018 15:30:27 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_20</guid>
</item>
<item>
<title>Synology-SA-18:19 SSL VPN Client</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_19</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct man-in-the-middle attacks to a susceptible version of SSL VPN Client. ]]>
</description>
<pubDate>Thu, 26 Apr 2018 15:47:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_19</guid>
</item>
<item>
<title>Synology-SA-18:18 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_18</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Drupal and Drupal8. ]]>
</description>
<pubDate>Thu, 26 Apr 2018 13:51:34 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_18</guid>
</item>
<item>
<title>Synology-SA-18:17 Drupal</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_17</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Drupal and Drupal8. ]]>
</description>
<pubDate>Fri, 30 Mar 2018 15:21:37 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_17</guid>
</item>
<item>
<title>Synology-SA-18:16 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_16</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to create arbitrary events via a susceptible version of Calendar. ]]>
</description>
<pubDate>Thu, 29 Mar 2018 12:52:19 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_16</guid>
</item>
<item>
<title>Synology-SA-18:15 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_15</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to hijack the authentication of administrators or to conduct privilege escalation attacks via a susceptible version of Photo Station. ]]>
</description>
<pubDate>Thu, 29 Mar 2018 12:51:05 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_15</guid>
</item>
<item>
<title>Synology-SA-18:14 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_14</link>
<description>
<![CDATA[ Multiple vulnerabilities allow remote attackers to steal credentials or inject arbitrary web script or HTML via a susceptible version of Synology DiskStation Manager (DSM). ]]>
</description>
<pubDate>Tue, 27 Mar 2018 16:02:31 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_14</guid>
</item>
<item>
<title>Synology-SA-18:13 NTP</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_13</link>
<description>
<![CDATA[ These vulnerabilities allow remote attackers to conduct association attacks via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), Virtual DSM, SkyNAS or VS960HD. ]]>
</description>
<pubDate>Tue, 27 Mar 2018 15:57:38 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_13</guid>
</item>
<item>
<title>Synology-SA-18:12 Office</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_12</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Office. ]]>
</description>
<pubDate>Mon, 26 Mar 2018 16:50:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_12</guid>
</item>
<item>
<title>Synology-SA-18:11 Drive</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_11</link>
<description>
<![CDATA[ Multiple vulnerabilities allows remote authenticated users to inject arbitrary web script and HTML or access non-shared files and folders via a susceptible version of Drive. ]]>
</description>
<pubDate>Wed, 21 Mar 2018 15:00:05 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_11</guid>
</item>
<item>
<title>Synology-SA-18:10 CardDAV Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_10</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML via a susceptible version of CardDAV Server. ]]>
</description>
<pubDate>Tue, 20 Mar 2018 13:46:21 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_10</guid>
</item>
<item>
<title>Synology-SA-18:09 File Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_09</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML via a susceptible version of File Station. ]]>
</description>
<pubDate>Tue, 20 Mar 2018 13:44:20 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_09</guid>
</item>
<item>
<title>Synology-SA-18:08 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_08</link>
<description>
<![CDATA[ CVE-2018-1057 allows remote authenticated users to change other users' passwords via a susceptible version of Synology DiskStation Manager (DSM) with Active Directory Server installed. Synology rates the overall severity as Important according to CVSS v3.0 metrics. However, the vulnerable functionality is disabled by default and there is no user interface to activate this option. Synology decides to postpone the fix until the upcoming update within the next 90 days. ]]>
</description>
<pubDate>Wed, 14 Mar 2018 16:54:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_08</guid>
</item>
<item>
<title>Synology-SA-18:07 Memcached</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_07</link>
<description>
<![CDATA[ CVE-2018-1000115 vulnerability allows remote attackers to conduct amplification attacks via a susceptible version of MailPlus Server. ]]>
</description>
<pubDate>Wed, 14 Mar 2018 14:09:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_07</guid>
</item>
<item>
<title>Synology-SA-18:06 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_06</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Calendar. ]]>
</description>
<pubDate>Mon, 12 Feb 2018 15:12:26 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_06</guid>
</item>
<item>
<title>Synology-SA-18:05 Drive</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_05</link>
<description>
<![CDATA[ A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Drive. ]]>
</description>
<pubDate>Thu, 08 Feb 2018 17:24:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_05</guid>
</item>
<item>
<title>Synology-SA-18:04 Media Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_04</link>
<description>
<![CDATA[ A vulnerability allows remote attackers to conduct SQL injection attacks via a susceptible version of Media Server. ]]>
</description>
<pubDate>Thu, 08 Feb 2018 10:07:44 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_04</guid>
</item>
<item>
<title>Synology-SA-18:03 Note Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_03</link>
<description>
<![CDATA[ Abstract These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Note Station. Affected Products | Product | Severity | Latest Patch | |---------|----------|-------------| | Note Station | Moderate | Upgrade to 2.5.1-0844 or above. | Mitigation None Detail CVE-2018-8911 Severity: Moderate CVSS3 Base Score: 6.5 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. CVE-2018-8912 Severity: Moderate CVSS3 Base Score: 6.5 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in Synology Note Station before 2.5.1-0844 allows remote authenticated users to inject arbitrary web script or HTML via the commit_msg parameter. Acknowledgement Taien Wang (https://www.linkedin.com/in/taienwang/) Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2018-01-23 | Initial public release.| | 2 | 2018-05-08 | Disclosed vulnerability details.| ]]>
</description>
<pubDate>Tue, 23 Jan 2018 17:25:28 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_03</guid>
</item>
<item>
<title>Synology-SA-18:02 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_02</link>
<description>
<![CDATA[ Abstract These vulnerabilities allow remote authenticated users to execute arbitrary code or inject arbitrary web script or HTML via a susceptible version of Photo Station. Affected Products | Product | Severity | Latest Patch | |---------|----------|-------------| | Photo Station 6.8 | Moderate | Upgrade to 6.8.3-3463 or above. | | Photo Station 6.3 | Moderate | Upgrade to 6.3-2971 or above. | Mitigation None Detail CVE-2017-16771 Severity: Moderate CVSS3 Base Score: 5.8 CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote attackers to inject arbitrary web script or HTML via the username parameter. CVE-2017-16772 Severity: Moderate CVSS3 Base Score: 6.3 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter. Acknowledgement Steven Seeley (mr_me) of Offensive Security Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2018-01-10 | Initial public release.| | 2 | 2018-03-22 | Disclosed vulnerability details.| ]]>
</description>
<pubDate>Wed, 10 Jan 2018 10:18:42 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_02</guid>
</item>
<item>
<title>Synology-SA-18:01 Meltdown and Spectre Attacks</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_18_01</link>
<description>
<![CDATA[ Abstract These vulnerabilities allow local users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and VisualStation running on an Intel or Arm CPU, even if in Virtual Machine Manager. Synology rates the overall severity as Moderate because these vulnerabilities can only be exploited via local malicious programs. To secure customers' products against the attacks, we recommend you only install trusted packages. Regarding Spectre &amp; Meltdown Checker, Synology implements array_index_mask_nospec, minimal ASM retpoline, Kernel Page Table Isolation (KPTI) into affected models [1], and additional Indirect Branch Prediction Barrier (IBPB) into specific models [2] to mitigate the vulnerabilities for DSM. Our customers can mitigate the vulnerabilities in both DSM and SRM by upgrading to 6.2.2-24922 and 1.1.7-6941-1, respectively. Affected Products | Product | Severity | Fixed Release Availability | |---------|----------|-------------| | DSM 6.2 | Moderate | Upgrade to 6.2.2-24922 or above. | | DSM 6.1 [3] | Moderate | Upgrade to 6.2.2-24922 or above. | | DSM 6.0 [4] | Moderate | Upgrade to 6.2.2-24922 or above. | | DSM 5.2 [5] | Moderate | Upgrade to 6.2.2-24922 or above. | | SkyNAS | Moderate | Pending | | SRM 1.1 [6] | Moderate | Upgrade to 1.1.7-6941-1 or above. [7] | | VS960HD | Moderate | Pending | | VS360HD | Moderate | Pending | | Virtual Machine Manager | Moderate | Upgrade to 6.2-23739 or above | [1] DS415+, RS815RP+, RS815+, DS1515+, DS1815+, DS1517+, DS1817+, DS2415+, RS2416RP+, RS2416+, RS818RP+, RS818+, RS1219+, DS216+, DS216+II, DS716+, DS716+II, DS416play, DS916+, DS418play, DS218+, DS718+, DS918+, DS1019+, DS1618+, DS1819+,DS2419+, RS2418RP+, RS2418+, RS2818RP+, DS3611xs, DS3612xs, RS3411RPxs, RS3411xs, RS3412RPxs, RS3412xs, RS3413xs+, RS10613xs+, RS3614xs+, RC18015xs+, RS18016xs+, RS3617xs, RS3614RPxs, RS3614xs, RS3617RPxs, RS3617xs+, DS3617xs, DS3018xs, RS4017xs+, RS18017xs+, RS3618xs, RS1619xs+, FS1018, FS2017, FS3017, Virtual DSM [2] DS218+, DS418play, DS718+, DS918+, DS1019+, DS1618+, DS1819+, DS2419+, RS2418(rp)+, RS2818rp+, DS3018xs, FS1018, RS1619xs+ [3] DS918+, DS418play, DS718+, DS218+, FS1018, DS3018xs, FS3017, RS3617xs, DS1817+, DS1517+, RS2416RP+, RS2416+, RS18016xs+, DS916+, DS416play, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS218j, DS1517, DS1817, DS116, DS416slim, RS217, RS816, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216, NVR1218, FS2017, RS4017xs+, RS3617xs+, RS3617RPxs, RS18017xs+, DS3617xs, RS818+, RS818rp+, DS1618+, RS2418+, RS2418rp+, RS3618xs, Virtual DSM [4] FS3017, RS3617xs, RS2416RP+, RS2416+, RS18016xs+, DS916+, DS416play, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS116, DS416slim, RS217, RS816, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216, RS4017xs+, RS3617xs+, RS3617RPxs, RS18017xs+, DS3617xs [5] RS2416RP+, RS2416+, RS18016xs+, DS716+, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS3413xs+, RS10613xs+, DS3612xs, RS3412xs, RS3412RPxs, DS3611xs, RS3411xs, RS3411RPxs, DS115, DS215j, DS216, DS216j, DS416j, DS414j, DS216play, DS215+, DS416, DS1515, DS2015xs, DS715, NVR216 [6] RT1900ac, RT2600ac [7] RT2600ac Mitigation None Detail CVE-2017-5715 Severity: Moderate CVSS3 Base Score: 5.3 CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVE-2017-5753 Severity: Moderate CVSS3 Base Score: 5.3 CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVE-2017-5754 Severity: Moderate CVSS3 Base Score: 5.3 CVSS3 Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 INTEL-SA-00088 INTEL-OSS-10002 INTEL-OSS-10003 Project Zero: Reading privileged memory with a side-channel Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2018-01-04 | Initial public release.| | 2 | 2018-01-04 | Updated affected models of ARM-series DiskStation in Affected Products.| | 3 | 2018-01-04 | - Updated Abstract. - Added SRM 1.1 to Affected Products. - Added VisualStation to Affected Products. - Updated affected models of Virtual DSM in Affected Products.| | 4 | 2018-01-05 | Updated affected models of Intel Broadwell-DE series in Affected Products.| | 5 | 2018-01-05 | Updated Abstract. | | 6 | 2018-01-08 | Updated Detail and Reference. | | 7 | 2018-01-09 | Updated Affected Products and Detail. | | 8 | 2018-01-09 | Updated Abstract and Mitigation. | | 9 | 2018-10-16 | Updated Abstract and Affected Products.| | 10 | 2019-03-28 | Updated Abstract and Affected Products upon 6.2.2.| |11 |2020-02-21| Update for Virtual Machine Manager is now available in Affected Products.| ]]>
</description>
<pubDate>Thu, 04 Jan 2018 13:36:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_18_01</guid>
</item>
<item>
<title>Synology-SA-17:82 Mailsploit</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_82</link>
<description>
<![CDATA[ Abstract Mailsploit allows remote attackers to conduct spoofing attacks via a susceptible version of MailPlus, Android MailPlus and iOS MailPlus. Affected Products | Product | Severity | Fixed Release Availability | |---------|----------|-------------| | MailPlus | Important | Upgrade to 1.4.1-0742 or above. | | Android MailPlus | Important | Upgrade to 1.6.1 or above. | | iOS MailPlus | Important | Upgrade to 1.6.1 or above. | Mitigation None Detail MailSploit Severity: Important CVSS3 Base Score: 7.4 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters. Reference Mailsploit Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-29 | Initial public release.| | 2 | 2018-1-2 | Updated availability for iOS MailPlus in Affected Products.| ]]>
</description>
<pubDate>Fri, 29 Dec 2017 13:33:29 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_82</guid>
</item>
<item>
<title>Synology-SA-17:81 MailPlus Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_81</link>
<description>
<![CDATA[ Abstract A vulnerability allows remote authenticated users to inject arbitrary HTML via a susceptible version of MailPlus Server. Updates for Affected Products | Product | Severity | Fixed Release Availability | |---------|----------|-------------| | MailPlus Sever | Low | Upgrade to 1.4.0-0415 or above. | Mitigation None Detail CVE-2017-16768 Severity: Low CVSS3 Base Score: 4.8 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter. Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-27 | Initial public release.| ]]>
</description>
<pubDate>Wed, 27 Dec 2017 17:42:50 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_81</guid>
</item>
<item>
<title>Synology-SA-17:80 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_80</link>
<description>
<![CDATA[ Abstract A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Photo Station. Updates for Affected Products | Product | Severity | Latest Patch | |---------|----------|-------------| | Photo Station | Moderate | Upgrade to 6.8.0-3456 or above. | Mitigation None Detail CVE-2017-12072 Severity: Moderate CVSS3 Base Score: 5.4 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.8.0-3456 allows remote authenticated users to inject arbitrary web scripts or HTML via the id parameter. Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-20 | Initial public release.| ]]>
</description>
<pubDate>Wed, 20 Dec 2017 17:12:49 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_80</guid>
</item>
<item>
<title>Synology-SA-17:79 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_79</link>
<description>
<![CDATA[ Abstract This vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology Router Manager (SRM). Updates for Affected Products | Product | Severity | Latest Patch | |---------|----------|-------------| | SRM 1.1 | Moderate | Upgrade to 1.1.6-6931 or above. | Mitigation None Detail CVE-2017-12078 Severity: Important CVSS3 Base Score: 7.2 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter. Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-19 | Initial public release. | | 2 | 2018-06-08 | Disclosed vulnerability details. | ]]>
</description>
<pubDate>Tue, 19 Dec 2017 14:11:30 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_79</guid>
</item>
<item>
<title>Synology-SA-17:78 Chat</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_78</link>
<description>
<![CDATA[ Abstract These are multiple vulnerabilities allowing remote authenticated users to access intranet resources and inject arbitrary web scripts and HTML code via a susceptible version of Chat. Updates for Affected Products | Product | Severity | Latest Patch | |---------|----------|-------------| | Chat | Moderate | Upgrade to 2.0.0-1124 or above. | Mitigation None Detail CVE-2017-15886 Severity: Moderate CVSS3 Base Score: 6.4 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via crafted URI. CVE-2017-15892 Severity: Moderate CVSS3 Base Score: 4.4 CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Multiple cross-site scripting (XSS) vulnerability in Slash Command Creator in Synology Chat before 2.0.0-1124 allows remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter. Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-18 | Initial public release. | | 2 | 2017-12-28 | Disclosed vulnerability details. | ]]>
</description>
<pubDate>Mon, 18 Dec 2017 11:16:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_78</guid>
</item>
<item>
<title>Synology-SA-17:77 Surveillance Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_77</link>
<description>
<![CDATA[ Abstract Multiple vulnerabilities in Surveillance Station allow remote authenticated users to obtain other user's sensitive files or inject arbitrary web scripts and HTML code. Updates for Affected Products | Product | Severity | Latest Patch | |---------|----------|-------------| | Surveillance Station 8.1 | Moderate | Upgrade to 8.1.2-5469 or above. | Mitigation None Detail CVE-2017-16767 Severity: Moderate CVSS3 Base Score: 6.5 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter. CVE-2017-16770 Severity: Moderate CVSS3 Base Score: 4.3 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter. Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-12 | Initial public release. | | 2 | 2018-02-26 | Disclosed vulnerability details. | ]]>
</description>
<pubDate>Tue, 12 Dec 2017 14:13:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_77</guid>
</item>
<item>
<title>Synology-SA-17:76 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_76</link>
<description>
<![CDATA[ Abstract The vulnerability allowing remote attackers to obtain sensitive information via a susceptible version of Photo Station. Updates for Affected Products | Product | Severity | Fixed Release Availability | |---------|----------|-------------| | Photo Station 6.8 | Moderate | Upgrade to 6.8.2-3461 or above.| Mitigation None Detail CVE-2017-16769 Severity: Moderate CVSS3 Base Score: 5.3 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exposure of private information vulnerability in Photo Viewer in Synology Photo Station 6.8.1-3458 allows remote attackers to obtain metadata from password-protected photographs via the map viewer mode. Acknowledgement Peter Bennink (https://www.linkedin.com/in/peter-bennink/) Revision History | Revision | Date | Description | |----------|------------|-------------------------| | 1 | 2017-12-07 | Initial public release. | | 2 | 2018-02-24 | Disclosed vulnerability details. | ]]>
</description>
<pubDate>Thu, 07 Dec 2017 15:14:06 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_76</guid>
</item>
<item>
<title>Synology-SA-17:75 MailPlus Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_75</link>
<description>
<![CDATA[ Abstract CVE-2017-15890 allows remote authenticated users to inject arbitrary web scripts and HTML code into a susceptible version of MailPlus Server. Severity Impact: Moderate CVSS3 Base Score: 4.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Affected Products MailPlus Server before 1.4.0-0415 Models All Synology models Description Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update MailPlus Server to 1.4.0-0415 or above. ]]>
</description>
<pubDate>Fri, 24 Nov 2017 18:01:45 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_75</guid>
</item>
<item>
<title>Synology-SA-17:74 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_74</link>
<description>
<![CDATA[ Abstract CVE-2017-16766 allows local users to inject arbitrary web script and HTML via susceptible versions of Synology DiskStation Manager (DSM). Severity Impact: Moderate CVSS3 Base Score: 5.0 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products DSM 6.1 DSM 6.0 Models All Synology models Description An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.4-15217 or above or DSM 6.0 to 6.0.3-8754-6 or above. ]]>
</description>
<pubDate>Fri, 24 Nov 2017 18:01:27 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_74</guid>
</item>
<item>
<title>Synology-SA-17:73 Intel TXE and ME</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_73</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Intel Trusted Execution Technology (TXE) and Intel Manageability Engine (ME). These vulnerabilities may allow local attackers to execute arbitrary code causing a denial-of-service attack or obtain sensitive information from a vulnerable version of Synology DiskStation Manager (DSM). Administrative privilege is required for these vulnerabilities to be exploited. Therefore, Synology has evaluated this issue to be of moderate severity. Severity CVE-2017-5705 Impact: Important CVSS3 Base Score: 8.2 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2017-5706 Impact: Not Affected CVE-2017-5707 Impact: Important CVSS3 Base Score: 8.2 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2017-5708 Impact: Important CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVE-2017-5709 Impact: Not Affected CVE-2017-5710 Impact: Important CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVE-2017-5711 Impact: Moderate CVSS3 Base Score: 6.7 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2017-5712 Impact: Important CVSS3 Base Score: 7.2 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products DSM 6.1 Models Plus Series 18-Series DS918+, DS718+, DS218+ Value Series 18-Series DS418play Description CVE-2017-5705 Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code. CVE-2017-5706 Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code. CVE-2017-5707 Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code. CVE-2017-5708 Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector. CVE-2017-5709 Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector. CVE-2017-5710 Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector. CVE-2017-5711 Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege. CVE-2017-5712 Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege. Mitigation None Update Availability Synology will release the updates for affected products. Reference INTEL-SA-00086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5705 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5706 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5707 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5708 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5709 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5710 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5711 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5712 ]]>
</description>
<pubDate>Wed, 22 Nov 2017 18:23:20 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_73</guid>
</item>
<item>
<title>Synology-SA-17:72 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_72_Samba</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Samba which allows remote attackers to launch a denial-of-service attack, retrieve sensitive information or possibly execute arbitrary codes from a vulnerable version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM). Severity CVE-2017-14746 Impact: Important CVSS3 Base Score: 8.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-15275 Impact: Moderate CVSS3 Base Score: 5.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models Description CVE-2017-14746 All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server. CVE-2017-15275 All versions of Samba from 3.6.0 onwards are vulnerable to a heap memory information leak, where server allocated heap memory may be returned to the client without being cleared. Mitigation For DSM 6.1 Go to Control Panel &gt; File Service &gt; SMB &gt; Advanced Settings, and set Minimum SMB protocol as SMB2. For DSM 6.0 Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP, and tick Enable SSH service. Log in to DSM via SSH as &quot;admin&quot; and execute the following command: sudo /usr/bin/sed -i '/min protocol/d' /etc/samba/smb.conf &amp;&amp; sudo sh -c &quot;echo 'min protocol=SMB2' &gt;&gt; /etc/samba/smb.conf&quot; &amp;&amp; sudo /sbin/restart smbd For DSM 5.2 Go to Contol Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service. Log in to DSM via SSH as &quot;root&quot; and execute the following command: /bin/sed -i '/min protocol/d' /usr/syno/etc/smb.conf &amp;&amp; /bin/sed -i &quot;/\[global\]/a min protocol=SMB2&quot; /usr/syno/etc/smb.conf &amp;&amp; /sbin/restart smbd For SRM 1.1 Go to Control Panel &gt; Services &gt; System Services and tick Enable SSH service. Log in to SRM via SSH as &quot;root&quot; and execute the following command: /bin/sed -i '/min protocol/d' /usr/syno/etc/smb.conf &amp;&amp; /bin/sed -i &quot;/\[global\]/a min protocol=SMB2&quot; /usr/syno/etc/smb.conf &amp;&amp; /sbin/restart smbd Update Availability To fix the security issue, please update DSM 6.1 to 6.1.4-15217-2 or above. For DSM 5.2 and DSM 6.0 users, please update DSM to 6.1.4-15217-2 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275 https://www.samba.org/samba/security/CVE-2017-14746.html https://www.samba.org/samba/security/CVE-2017-15275.html ]]>
</description>
<pubDate>Tue, 21 Nov 2017 19:17:51 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_72_Samba</guid>
</item>
<item>
<title>Synology-SA-17:71 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_71_SRM</link>
<description>
<![CDATA[ Abstract CVE-2017-15895 allows remote authenticated users to write arbitrary files via a vulnerable version of Synology Router Manager (SRM). Severity Impact: Important CVSS3 Base Score: 7.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Affected Products SRM 1.1 Models All Synology models Description Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. Mitigation None Update Availability To fix the security issue, please update SRM 1.1 to 1.1.5-6542-4 or above. ]]>
</description>
<pubDate>Wed, 15 Nov 2017 13:27:01 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_71_SRM</guid>
</item>
<item>
<title>Synology-SA-17:70 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_70_DSM</link>
<description>
<![CDATA[ Abstract CVE-2017-15894 allows remote authenticated users to write arbitrary files via a vulnerable version of Synology DiskStation Manager (DSM). Severity Impact: Important CVSS3 Base Score: 7.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Affected Products DSM 6.0 DSM 5.2 Models All Synology models Description Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. Mitigation None Update Availability To fix the security issue, please update DSM 6.0 to 6.0.3-8754-3 or above and DSM 5.2 to 5.2-5967-6 or above. ]]>
</description>
<pubDate>Wed, 15 Nov 2017 13:26:55 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_70_DSM</guid>
</item>
<item>
<title>Synology-SA-17:69 File Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_69_File_Station</link>
<description>
<![CDATA[ Abstract CVE-2017-15893 allows remote authenticated users to write arbitrary files via a vulnerable version of File Station. Severity Impact: Important CVSS3 Base Score: 7.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Affected Products File Station before 1.1.1-0099 Description Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update File Station to 1.1.1-0099 or above. ]]>
</description>
<pubDate>Wed, 15 Nov 2017 13:26:44 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_69_File_Station</guid>
</item>
<item>
<title>Synology-SA-17:68 Calendar</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_68_Calendar</link>
<description>
<![CDATA[ Abstract CVE-2017-15891 allows remote authenticated users to modify calendar events in an un-authorized manner via a vulnerable version of Calendar. Severity Impact: Important CVSS3 Base Score: 7.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Affected Products Calendar before 2.0.1-0242 Models All Synology models Description Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Calendar to 2.0.1-0242 or above. ]]>
</description>
<pubDate>Fri, 10 Nov 2017 17:59:55 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_68_Calendar</guid>
</item>
<item>
<title>Synology-SA-17:67 Mail Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_67_Mail_Station</link>
<description>
<![CDATA[ Abstract CVE-2017-16651 allows remote authenticated users to access arbitrary files on the system via a vulnerable version of Mail Station. Severity Impact: Moderate CVSS3 Base Score: 6.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products Mail Station 20170214-0280 and earlier Models All Synology models Description Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&amp;_action=upload-display&amp;_from=timezone requests. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Mail Station to 20171201-0283 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16651 ]]>
</description>
<pubDate>Fri, 10 Nov 2017 17:59:49 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_67_Mail_Station</guid>
</item>
<item>
<title>Synology-SA-17:66 OpenJDK</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_66_OpenJDK</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in OpenJDK, and may allow remote unauthenticated users to execute arbitrary codes and have unauthorized access to data through a vulnerable version of Java7 or Java8. Severity CVE-2017-10274 Impact: Important CVSS3 Base Score: 6.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2017-10285 Impact: Critical CVSS3 Base Score: 8.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-10346 Impact: Critical CVSS3 Base Score: 8.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-10388 Impact: Important CVSS3 Base Score: 6.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Affected Products Java7 7.0.131-0012 and earlier Java8 before 8.0.151-0014 Models All Synology models Description CVE-2017-10274 Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N). CVE-2017-10285 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). CVE-2017-10346 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). CVE-2017-10388 Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Mitigation None Update Availability To fix the security issues, please go to DSM &gt; Package Center and update Java8 to 8.0.151-0014 or above or update Java7 to 7.0.161-0013 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10346 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388 https://access.redhat.com/security/cve/CVE-2017-10274 https://access.redhat.com/security/cve/CVE-2017-10285 https://access.redhat.com/security/cve/CVE-2017-10346 https://access.redhat.com/security/cve/CVE-2017-10388 ]]>
</description>
<pubDate>Thu, 09 Nov 2017 17:58:43 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_66_OpenJDK</guid>
</item>
<item>
<title>Synology-SA-17:65 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_65_DSM</link>
<description>
<![CDATA[ Abstract CVE-2017-15889 allows remote authenticated users to execute arbitrary commands on a vulnerable version of Synology DiskStation Manager (DSM). Severity Impact: Important CVSS3 Base Score: 7.2 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products DSM 5.2 Models All Synology models Description Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field. Mitigation None Update Availability To fix the security issue, please update DSM 5.2 to 5.2-5967-5 or above. ]]>
</description>
<pubDate>Wed, 08 Nov 2017 17:11:36 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_65_DSM</guid>
</item>
<item>
<title>Synology-SA-17:64 CardDAV Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_64_CardDAV_Server</link>
<description>
<![CDATA[ Abstract CVE-2017-15887 allows remote users to obtain system user accounts with brute-force attack from a vulnerable version of CardDAV Server. Severity Impact: Critical CVSS3 Base Score: 9.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products CardDAV Server before 6.0.7-0085 Description An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update CardDAV Server to 6.0.7-0085 or above. ]]>
</description>
<pubDate>Mon, 06 Nov 2017 16:35:38 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_64_CardDAV_Server</guid>
</item>
<item>
<title>Synology-SA-17:63 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_63_Photo_Station</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Photo Station, and may allow remote attackers to read arbitrary files, or obtain sensitive system information from a vulnerable version of Synology Photo Station. Severity CVE-2017-12079 Impact: Moderate CVSS3 Base Score: 5.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2017-12080 Impact: Moderate CVSS3 Base Score: 5.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products Photo Station before 6.8.1-3458 and before 6.3-2970 Description CVE-2017-12079 Files or directories accessible to external parties vulnerability in picasa.php in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain arbitrary files via prog_id field. CVE-2017-12080 An information exposure vulnerability in default HTTP configuration file in Synology Photo Station before 6.8.1-3458 and before 6.3-2970 allows remote attackers to obtain sensitive system information via .htaccess file. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Photo Station to 6.8.1-3458 or above or 6.3-2970 or above. ]]>
</description>
<pubDate>Mon, 06 Nov 2017 16:35:28 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_63_Photo_Station</guid>
</item>
<item>
<title>Synology-SA-17:62 Wget</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_62_Wget</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Wget, and may allow man-in-the-middle attackers to execute arbitrary codes, or cause denial-of-service attack from a vulnerable version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), and Download Station. Severity CVE-2017-13089 Impact: Important CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2017-13090 Impact: Important CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Download Station before 3.8.7-3490 Models All Synology models Description CVE-2017-13089 The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but ends up passing the negative chunk length to connect.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. CVE-2017-13090 The retr.c:fd_read_body() function is called when processing OK responses. When the response is sent chunked in wget before 1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't check that the chunk length is a non-negative number. The code then tries to read the chunk in pieces of 8192 bytes by using the MIN() macro, but ends up passing the negative chunk length to retr.c:fd_read(). As fd_read() takes an int argument, the high 32 bits of the chunk length are discarded, leaving fd_read() with a completely attacker controlled length argument. The attacker can corrupt malloc metadata after the allocated buffer. Mitigation None Update Availability To fix the security issues: please go to DSM &gt; Package Center and update Download Station to 3.8.7-3490 or above. For DSM 5.2, DSM 6.0 and DSM 6.1 users, please update DSM to 6.1.4-15217 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090 https://access.redhat.com/security/cve/cve-2017-13089 https://access.redhat.com/security/cve/cve-2017-13090 ]]>
</description>
<pubDate>Thu, 02 Nov 2017 17:37:11 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_62_Wget</guid>
</item>
<item>
<title>Synology-SA-17:61 Audio Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_61_Audio_Station</link>
<description>
<![CDATA[ Abstract CVE-2017-15888 allows remote authenticated users to inject arbitrary web scripts and HTML codes into a vulnerable version of Audio Station. Severity Impact: Moderate CVSS3 Base Score: 5.4 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Affected Products Audio Station before 6.3.0-3260 Description Cross-site scripting (XSS) vulnerability in Custom Internet Radio List in Synology Audio Station before 6.3.0-3260 allows remote authenticated attackers to inject arbitrary web script or HTML via the NAME parameter. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Audio Station to 6.3.0-3260 or above. ]]>
</description>
<pubDate>Mon, 30 Oct 2017 15:29:46 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_61_Audio_Station</guid>
</item>
<item>
<title>Synology-SA-17:60 KRACK</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_60_KRACK</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in WPA2 protocol, and might allow man-in-the-middle attackers to hijack the entire network traffic through a vulnerable version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM). These vulnerabilities do not affect Synology DiskStation Manager (DSM) on devices without a Wi-Fi dongle installed. Severity Impact: Important CVSS3 Base Score: 8.1 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models Description CVE-2017-13077 Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078 Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079 Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080 Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081 Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082 Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084 Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086 Reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087 Reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088 Reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152-8 or above, DSM6.0 to 6.0.3-8754-6 or above and SRM 1.1 to 1.1.5-6542-3 or above. For DSM 5.2 please update DSM to 6.0.3-8754-6 or above. Reference https://www.krackattacks.com/ https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13078 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13079 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13080 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13081 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13082 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13084 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13085 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13086 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13087 ]]>
</description>
<pubDate>Mon, 16 Oct 2017 19:38:38 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_60_KRACK</guid>
</item>
<item>
<title>Synology-SA-17:59 Dnsmasq</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_59_Dnsmasq</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Dnsmasq, and may allow remote attackers to execute arbitrary codes, cause denial-of-service attack, or retrieve sensitive information from a vulnerable version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM). These vulnerabilities do not affect Synology DiskStation Manager (DSM) on devices without a Wi-Fi dongle installed. Severity CVE-2017-14491 Impact: Critical CVSS3 Base Score: 9.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-14492 Impact: Critical CVSS3 Base Score: 8.8 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-14493 Impact: Critical CVSS3 Base Score: 8.8 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-14494 Impact: Important CVSS3 Base Score: 6.5 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-14495 Impact: Important CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-14496 Impact: Important CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-13704 Impact: Important CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models Description CVE-2017-14491 Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response. CVE-2017-14492 Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted IPv6 router advertisement request. CVE-2017-14493 Stack-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DHCPv6 request. CVE-2017-14494 dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. CVE-2017-14495 Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service (memory consumption) via vectors involving DNS response creation. CVE-2017-14496 Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request. CVE-2017-13704 In dnsmasq before 2.78, if the DNS packet size does not match the expected size, the size parameter in a memset call gets a negative value. As it is an unsigned value, memset ends up writing up to 0xffffffff zero's (0xffffffffffffffff in 64 bit platforms), making dnsmasq crash. Mitigation For an immediate workaround, please contact us at security@synology.com. Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152-6 or above, DSM 6.0 to CVE-2017-13078 or above and SRM 1.1 to 1.1.5-6542-2 or above. For DSM 5.2 please update DSM to 6.0.3-8754-6 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14491 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14492 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14493 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14494 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14495 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14496 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13704 https://access.redhat.com/security/cve/CVE-2017-14491 https://access.redhat.com/security/cve/CVE-2017-14492 https://access.redhat.com/security/cve/CVE-2017-14493 https://access.redhat.com/security/cve/CVE-2017-14494 https://access.redhat.com/security/cve/CVE-2017-14495 https://access.redhat.com/security/cve/CVE-2017-14496 https://access.redhat.com/security/cve/CVE-2017-13704 ]]>
</description>
<pubDate>Tue, 03 Oct 2017 16:31:53 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_59_Dnsmasq</guid>
</item>
<item>
<title>Synology-SA-17:58 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_58_Linux_kernel</link>
<description>
<![CDATA[ Abstract CVE-2017-1000253 allows local users to obtain privileges without consent from a vulnerable version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM). Severity Impact: Important CVSS3 Base Score: 7.0 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models Description A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system. Mitigation None Update Availability To fix the security issue, please update DSM 5.2 to 5.2-5967-5 or above, DSM 6.0 to 6.0.3-8754-6 or above and SRM 1.1 to 1.1.5-6542-2 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000253 https://access.redhat.com/security/cve/cve-2017-1000253 ]]>
</description>
<pubDate>Fri, 29 Sep 2017 15:45:48 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_58_Linux_kernel</guid>
</item>
<item>
<title>Synology-SA-17:57 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_57_Samba</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Samba. CVE-2017-12163 allows man-in-the-middle attackers to retrieve sensitive information from a vulnerable version of Synology DiskStation Manager (DSM) or Synology Router Manager (SRM). Severity CVE-2017-12150 Impact: Not affected CVE-2017-12151 Impact: Not affected CVE-2017-12163 Impact: Moderate CVSS3 Base Score: 4.1 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Affected Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models Description CVE-2017-12150 It was found that samba did not enforce &quot;SMB signing&quot; when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text. CVE-2017-12151 A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack. CVE-2017-12163 An information leak flaw was found in the way SMB1 protocol was implemented by Samba. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker. Mitigation For DSM 6.1 Go to Control Panel &gt; File Service &gt; SMB &gt; Advanced Settings, and set Minimum SMB protocol as SMB2. For DSM 6.0 Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP, and tick Enable SSH service. Log in to DSM via SSH as &quot;admin&quot; and execute the following command: sudo /usr/bin/sed -i '/min protocol/d' /etc/samba/smb.conf &amp;&amp; sudo sh -c &quot;echo 'min protocol=SMB2' &gt;&gt; /etc/samba/smb.conf&quot; &amp;&amp; sudo /sbin/restart smbd For DSM 5.2 Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service. Log in to DSM via SSH as &quot;root&quot; and execute the following command: /bin/sed -i '/min protocol/d' /usr/syno/etc/smb.conf &amp;&amp; /bin/sed -i &quot;/\[global\]/a min protocol=SMB2&quot; /usr/syno/etc/smb.conf &amp;&amp; /sbin/restart smbd For SRM 1.1 Go to Control Panel &gt; Services &gt; System Services and tick Enable SSH service. Log in to SRM via SSH as &quot;root&quot; and execute the following command: /bin/sed -i '/min protocol/d' /usr/syno/etc/smb.conf &amp;&amp; /bin/sed -i &quot;/\[global\]/a min protocol=SMB2&quot; /usr/syno/etc/smb.conf &amp;&amp; /sbin/restart smbd Update Availability To fix the security issue, please update DSM 5.2 to 6.1.4-15217 or above, DSM 6.0 to 6.1.4-15217 or above and DSM6.1 to 6.1.4-15217 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12151 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163 https://access.redhat.com/security/cve/cve-2017-12150 https://access.redhat.com/security/cve/cve-2017-12151 https://access.redhat.com/security/cve/cve-2017-12163 https://www.samba.org/samba/security/CVE-2017-12150.html https://www.samba.org/samba/security/CVE-2017-12151.html https://www.samba.org/samba/security/CVE-2017-12163.html ]]>
</description>
<pubDate>Mon, 25 Sep 2017 15:10:08 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_57_Samba</guid>
</item>
<item>
<title>Synology-SA-17:56 OptionsBleed</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_56_OptionsBleed</link>
<description>
<![CDATA[ Abstract CVE-2017-9798, also known as OptionsBleed, allows remote attackers to retrieve sensitive information via HTTP OPTION method from a vulnerable version of Apache HTTP server. Severity Impact: Moderate CVSS3 Base Score: 5.9 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products Apache HTTP Server 2.2 2.2.31-0017 and eariler Apache HTTP Server 2.4 2.4.25-0008 and eariler Models All Synology models Description Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Apache HTTP Server 2.2 to 2.2.34-0020 or above or Apache HTTP Server 2.4 to 2.4.29-0011 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 https://access.redhat.com/security/cve/cve-2017-9798 ]]>
</description>
<pubDate>Mon, 25 Sep 2017 15:10:01 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_56_OptionsBleed</guid>
</item>
<item>
<title>Synology-SA-17:55 Joomla</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_55_Joomla</link>
<description>
<![CDATA[ Abstract CVE-2017-14596 allows remote attackers to retrieve sensitive information via a vulnerable version of Joomla. Severity Impact: Moderate CVSS3 Base Score: 5.9 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products Joomla before 3.8.0-0160 Models All Synology models Description In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Joomla to 3.8.0-0160 or above. Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14596 ]]>
</description>
<pubDate>Fri, 22 Sep 2017 17:09:54 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_55_Joomla</guid>
</item>
<item>
<title>Synology-SA-17:54 Tomcat</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_54_Tomcat</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in Tomcat. These vulnerabilities allow remote attackers to execute arbitrary codes or may result in the leak of sensitive information from a vulnerable version of Tomcat. Severity CVE-2017-12615 Impact: Important CVSS3 Base Score: 8.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12616 Impact: Moderate CVSS3 Base Score: 5.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products Tomcat6 6.0.48-0107 and eariler Tomcat7 7.0.73-0110 and eariler Models All Synology models Description CVE-2017-12615 When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12616 When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. Mitigation None Update Availability To fix the security issue, please update Tomcat7 to 7.0.82-0113 or above. Tomcat6 has reached its end of life. We will no longer maintain this package. Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616 https://access.redhat.com/security/cve/CVE-2017-12615 https://access.redhat.com/security/cve/CVE-2017-12616 ]]>
</description>
<pubDate>Thu, 21 Sep 2017 16:37:59 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_54_Tomcat</guid>
</item>
<item>
<title>Synology-SA-17:53 SugarCRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_53_SugarCRM</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in SugarCRM. These vulnerabilities allow remote attackers to cause a SQL injection attack, remote file inclusion attack, and cross-site scripting attack, or may result in the leak of sensitive information from a vulnerable version of SugarCRM. Severity CVE-2017-14508 Impact: Important CVSS3 Base Score: 8.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-14509 Impact: Low CVSS3 Base Score: 4.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2017-14510 Impact: Moderate CVSS3 Base Score: 6.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products SugarCRM 6.5.24-0136 and eariler Models All Synology models Description CVE-2017-14508 An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). Several areas have been identified in the Documents and Emails module that could allow an authenticated user to perform SQL injection, as demonstrated by a backslash character at the end of a bean_id to modules/Emails/DetailView.php. An attacker could exploit these vulnerabilities by sending a crafted SQL request to the affected areas. An exploit could allow the attacker to modify the SQL database. Proper SQL escaping has been added to prevent such exploits. CVE-2017-14509 An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). A remote file inclusion has been identified in the Connectors module allowing authenticated users to include remotely accessible system files via a module=CallRest&amp;url= query string. Proper input validation has been added to mitigate this issue. CVE-2017-14510 An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 (and Sugar Community Edition 6.5.26). The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting (XSS) attacks. This attack vector is mitigated by proper validating the redirect URL values being passed along. Mitigation None Update Availability None Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14510 https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-006/ https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-007/ https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-008/ https://blog.ripstech.com/2017/sugarcrm-security-diet-multiple-vulnerabilities/ ]]>
</description>
<pubDate>Mon, 18 Sep 2017 16:07:44 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_53_SugarCRM</guid>
</item>
<item>
<title>Synology-SA-17:52 BlueBorne</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_52_BlueBorne</link>
<description>
<![CDATA[ Abstract BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. The following two CVE IDs will affect Synology DiskStation Manager (DSM). CVE-2017-1000250 allows remote attackers to cause an information disclosure attack via a crafted SDP bluetooth packet on a vulnerable version of Synology DiskStation Manager (DSM). CVE-2017-1000251 allows remote attackers to cause a denial-of-service attack or execute arbitrary codes via a crafted L2CAP configuration response on a vulnerable version of Synology DiskStation Manager (DSM). Severity CVE-2017-1000250 Impact: Moderate CVSS3 Base Score: 6.5 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-1000251 Impact: Important CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products DSM 6.1 DSM 6.0 DSM 5.2 Models FS &amp; XS Series 17-Series FS2017, RS4017xs+, RS3617xs+, RS3617xs, RS3617RPxs, RS18017xs+, DS3617xs 16-Series RS18016xs+ 15-Series DS3615xs, DS2015xs 14-Series RS3614xs, RS3614RPxs 13-Series RS3413xs+, RS10613xs+ 12-Series RS3412xs, RS3412RPxs 11-Series RS3411xs, RS3411RPxs Plus Series 17-Series DS1817+, DS1517+ 16-Series RS2416+, DS916+, DS716+II, DS716+, DS216+II, DS216+ 15-Series DS2415+, DS1815+, DS1515+, RS815RP+, RS815+, DS415+, DS215+ 14-Series RS2414RP+, RS2414+, RS814RP+, RS814+ 13-Series RS3413xs+, RS10613xs+, DS1813+, DS1513+, DS713+ 12-Series RS2212RP+, RS2212+, DS1812+, DS1512+, RS812RP+, RS812+, DS412+, DS712+, DS212+, DS112+ 11-Series DS2411+, RS2211RP+, RS2211+, DS1511+, DS411+II, DS411+, DS211+, RS810RP+, RS810+, DS710+, DS210+, DS110+ Value Series 17-Series DS1817, DS1517, RS217 16-Series RS816, DS416slim, DS416play, DS416, DS216play, DS216, DS116 15-Series DS1515, DS415play, DS715 14-Series RS214, DS214play 13-Series DS213air, DS213 12-Series RS812, RS212, DS212, DS112 11-Series RS411, DS411, DS211, DS111, DS410 J Series 16-Series DS416j, DS216j 13-Series DS413j 11-Series DS411slim Description CVE-2017-1000250 All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. CVE-2017-1000251 The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 3.3-rc1 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152-5 or above, update DSM 6.0 to 6.0.3-8754-6 or above, and update DSM 5.2 to 5.2-5967-5 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000250 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251 https://access.redhat.com/security/cve/CVE-2017-1000250 https://access.redhat.com/security/cve/CVE-2017-1000251 https://www.armis.com/blueborne/ ]]>
</description>
<pubDate>Wed, 13 Sep 2017 20:05:44 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_52_BlueBorne</guid>
</item>
<item>
<title>Synology-SA-17:51 Cloud Station Drive</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_51_Cloud_Station_Drive</link>
<description>
<![CDATA[ Abstract CVE-2017-11158 allows local users to execute arbitrary codes during the installation of Cloud Station Drive on Windows via a vulnerable version. Severity Impact: Moderate CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products Cloud Station Drive before 4.2.5-4396 Description Multiple untrusted search path vulnerabilities in installer in Synology Cloud Station Drive before 4.2.5-4396 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Mitigation None Update Availability To fix the security issue, please update Cloud Station Drive to 4.2.5-4396 or above. ]]>
</description>
<pubDate>Wed, 30 Aug 2017 18:50:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_51_Cloud_Station_Drive</guid>
</item>
<item>
<title>Synology-SA-17:50 Cloud Station Backup</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_50_Cloud_Station_Backup</link>
<description>
<![CDATA[ Abstract CVE-2017-11157 allows local users to execute arbitrary codes during the installation of Cloud Station Backup on Windows via a vulnerable version. Severity Impact: Moderate CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products Cloud Station Backup before 4.2.5-4396 Description Multiple untrusted search path vulnerabilities in installer in Synology Cloud Station Backup before 4.2.5-4396 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Mitigation None Update Availability To fix the security issue, please update Cloud Station Backup to 4.2.5-4396 or above. ]]>
</description>
<pubDate>Wed, 30 Aug 2017 18:47:47 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_50_Cloud_Station_Backup</guid>
</item>
<item>
<title>Synology-SA-17:49 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_49_SRM</link>
<description>
<![CDATA[ Abstract CVE-2017-12077 allows remote authenticated users to exhaust the memory resources and conduct a denial-of-service attack via a vulnerable version of Synology Router Manager (SRM). Severity Impact: Low CVSS3 Base Score: 2.7 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L Affected Products SRM before 1.1.4-6509 Models All Synology models Description Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. Mitigation None Update Availability To fix the security issue, please update SRM 1.1 to 1.1.4-6509 or above. ]]>
</description>
<pubDate>Mon, 28 Aug 2017 12:02:14 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_49_SRM</guid>
</item>
<item>
<title>Synology-SA-17:48 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_48_DSM</link>
<description>
<![CDATA[ Abstract CVE-2017-12076 allows remote authenticated users to exhaust the memory resources and conduct a denial-of-service attack via a vulnerable version of Synology DiskStation Manager (DSM). Severity Impact: Low CVSS3 Base Score: 2.7 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L Affected Products DSM before 6.1.1-15088 Models All Synology models Description Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.1-15088 or above. ]]>
</description>
<pubDate>Mon, 28 Aug 2017 09:58:07 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_48_DSM</guid>
</item>
<item>
<title>Synology-SA-17:47 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_47_Photo_Station</link>
<description>
<![CDATA[ Abstract CVE-2017-9555 allows remote users to inject arbitrary web scripts and HTML codes into a vulnerable version of Photo Station. Severity Impact: Moderate CVSS3 Base Score: 5.4 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Affected Products Photo Station before 6.7.0-3414 Description Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.0-3414 allows remote attackers to inject arbitrary web script or HTML via the image parameter. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Photo Station to 6.7.0-3414 or above. ]]>
</description>
<pubDate>Thu, 24 Aug 2017 13:23:45 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_47_Photo_Station</guid>
</item>
<item>
<title>Synology-SA-17:46 DNS Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_46_DNS_Server</link>
<description>
<![CDATA[ Abstract CVE-2017-12074 allows remote authenticated users to write arbitrary files via vulnerable version of DNS Server. Severity Impact: Low CVSS3 Base Score: 3.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L Affected Products DNS Server before 2.2.1-3042 Description Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 allows remote authenticated attackers to write arbitrary files via the domain_name parameter. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update DNS Server to 2.2.1-3042 or above. ]]>
</description>
<pubDate>Wed, 23 Aug 2017 18:12:51 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_46_DNS_Server</guid>
</item>
<item>
<title>Synology-SA-17:45 Photo Station Uploader</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_45_Photo_Station_Uploader</link>
<description>
<![CDATA[ Abstract CVE-2017-11159 allows local users to execute arbitrary codes during the installation of Photo Station Uploader on Windows via a vulnerable version. Severity Impact: Moderate CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products Photo Station Uploader before 1.4.2-084 Description Multiple untrusted search path vulnerabilities in installer in Synology Photo Station Uploader before 1.4.2-084 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Mitigation None Update Availability To fix the security issue, please update Photo Station Uploader to 1.4.2-084 or above. ]]>
</description>
<pubDate>Wed, 23 Aug 2017 18:12:23 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_45_Photo_Station_Uploader</guid>
</item>
<item>
<title>Synology-SA-17:44 Synology Assistant</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_44_Synology_Assistant</link>
<description>
<![CDATA[ Abstract CVE-2017-11160 allows local users to execute arbitrary codes when installing a vulnerable version of Synology Assistant on client Windows system. Severity Impact: Moderate CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products Synology Assistant before 6.1-15163 Description Multiple untrusted search path vulnerabilities in installer in Synology Assistant before 6.1-15163 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Mitigation None Update Availability To fix the security issue, please update Synology Assistant to 6.1-15163 or above. ]]>
</description>
<pubDate>Wed, 16 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_44_Synology_Assistant</guid>
</item>
<item>
<title>Synology-SA-17:43 GitLab</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_43_GitLab</link>
<description>
<![CDATA[ Abstract CVE-2017-12426 allows attackers to execute arbitrary commands on a vulnerable version of GitLab via a crafted SSH URL for a project import. Severity Impact: Important CVSS3 Base Score: 6.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products GitLab before 9.4.4-0024 Models All Synology models Description GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update GitLab to 9.4.4-0024 or above. Reference https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12426 ]]>
</description>
<pubDate>Tue, 15 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_43_GitLab</guid>
</item>
<item>
<title>Synology-SA-17:42 SVN</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_42_SVN</link>
<description>
<![CDATA[ Abstract CVE-2017-9800 allows attackers to execute arbitrary commands on a vulnerable version of SVN. Severity Impact: Moderate CVSS3 Base Score: 4.8 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L Affected Products SVN before 1.9.7-0119 Models All Synology models Description A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update SVN to 1.9.7-0119 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800 https://access.redhat.com/security/cve/cve-2017-9800 http://seclists.org/oss-sec/2017/q3/280 ]]>
</description>
<pubDate>Tue, 15 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_42_SVN</guid>
</item>
<item>
<title>Synology-SA-17:41 Git Server</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_41_Git_Server</link>
<description>
<![CDATA[ Abstract CVE-2017-1000117 allows attackers to execute arbitrary commands on a vulnerable version of Git. Severity Impact: Moderate CVSS3 Base Score: 4.8 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L Affected Products Git Server before 2.11.3-0116 Models All Synology models Description A shell command injection flaw related to the handling of &quot;ssh&quot; URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a &quot;clone&quot; action on a malicious repository or a legitimate repository containing a malicious commit. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Git Server to 2.11.3-0116 or above. Reference https://access.redhat.com/security/cve/cve-2017-1000117 http://seclists.org/oss-sec/2017/q3/280 ]]>
</description>
<pubDate>Tue, 15 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_41_Git_Server</guid>
</item>
<item>
<title>Synology-SA-17:40 libsoup</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_40_libsoup</link>
<description>
<![CDATA[ Abstract CVE-2017-2885 allows man-in-the-middle attackers to cause denial-of-service attacks or execute arbitrary codes on a vulnerable version of File Station. Severity Impact: Important CVSS3 Base Score: 7.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products File Station before 1.1.1-0103 DSM 6.0 DSM 5.2 DSM 5.1 Models All Synology models Description A stack-based buffer overflow flaw was discovered within the HTTP processing of libsoup. A remote attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code by sending a specially crafted HTTP request to a server using the libsoup HTTP server functionality or by tricking a user into connecting to a malicious HTTP server with an application using the libsoup HTTP client functionality. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update File Station to 1.1.1-0103 or above. For DSM 5.2 and DSM 6.0, please update to 6.0.3-8754-6 or above. Reference https://access.redhat.com/security/cve/CVE-2017-2885 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2885 https://tools.cisco.com/security/center/viewAlert.x?alertId=54816 https://bugzilla.gnome.org/show_bug.cgi?id=785774 http://seclists.org/oss-sec/2017/q3/273 ]]>
</description>
<pubDate>Fri, 11 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_40_libsoup</guid>
</item>
<item>
<title>Synology-SA-17:28 Download Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_28_Download_Station</link>
<description>
<![CDATA[ Abstract Several vulnerabilities have been found in Download Station: CVE-2017-11149 allows remote authenticated attackers to download arbitrary files from a vulnerable NAS. CVE-2017-11156 allows remote authenticated attackers to execute arbitrary commands on a vulnerable NAS. Severity CVE-2017-11149 Moderate CVSSv3 Base Score: 6.5 CVE-2017-11156 Critical CVSSv3 Base Score: 8.8 Affected Products Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 Models All Synology NAS models Description CVE-2017-11149 Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI. CVE-2017-11156 Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors. Mitigation None Update Availability To fix the security issues, please go to DSM &gt; Package Center and install the latest version of Download Station. ]]>
</description>
<pubDate>Fri, 11 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_28_Download_Station</guid>
</item>
<item>
<title>Synology-SA-17:26 Office</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_26_Office</link>
<description>
<![CDATA[ Abstract CVE-2017-11150 is found in Office that allows remote authenticated attackers to execute arbitrary command through uploading a crafted file on the vulnerable NAS. Severity Critical CVSS v3 Base Score: 8.8 Affected Products Office 2.2.0-1502 and 2.2.1-1506 Models All Synology NAS models Description Command injection vulnerability in Document.php in Synology Office 2.2.0-1502 and 2.2.1-1506 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the crafted file name of RTF documents. Mitigation Install Document Viewer to replace the vulnerable feature. Go to DSM &gt; Package Center and select All. Find Document Viewer and click Install button. Update Availability To fix the security issues, please go to DSM &gt; Package Center and install the latest version of Office. ]]>
</description>
<pubDate>Fri, 11 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_26_Office</guid>
</item>
<item>
<title>Synology-SA-17:39 Video Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_39_Video_Station</link>
<description>
<![CDATA[ Abstract CVE-2017-9556 allows remote authenticated users to inject arbitrary web scripts or HTML codes into a vulnerable version of Video Station. Severity Impact: Moderate CVSS3 Base Score: 5.4 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Affected Products Video Station before 2.3.0-1435 Models All Synology models Description Cross-site scripting (XSS) vulnerability in Video Metadata Editor in Synology Video Station before 2.3.0-1435 allows remote authenticated attackers to inject arbitrary web script or HTML via the title parameter. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Video Station to 2.3.0-1435 or above. ]]>
</description>
<pubDate>Thu, 10 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_39_Video_Station</guid>
</item>
<item>
<title>Synology-SA-17:38 Chat</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_38_Chat</link>
<description>
<![CDATA[ Abstract CVE-2017-11148 allows remote authenticated users to access intranet resources via a vulnerable Synology NAS running as Chat server. Severity Impact: Important CVSS3 Base Score: 6.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products Chat before 1.1.0-0806 Models All Synology models Description Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Chat to 1.1.0-0806 or above. ]]>
</description>
<pubDate>Thu, 10 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_38_Chat</guid>
</item>
<item>
<title>Synology-SA-17:34 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_34_PhotoStation</link>
<description>
<![CDATA[ Abstract Several vulnerabilities have been found in Photo Station: CVE-2017-11151 allows remote attackers to upload arbitrary files to the specified directories. CVE-2017-11152 allows remote attackers to log in with a fake authentication mechanism. CVE-2017-11153 allows remote attackers to log in to Photo Station with any identities. CVE-2017-11154 allows remote authenticated attackers with administrator privileges in Photo Station to execute arbitrary codes on the vulnerable NAS. CVE-2017-11155 allows remote attackers to identify whether Photo Station is vulnerable or not. Severity CVE-2017-11151 Moderate CVSSv3 Base Score: 6.5 CVE-2017-11152 Moderate CVSSv3 Base Score: 6.5 CVE-2017-11153 Important CVSSv3 Base Score: 7.5 CVE-2017-11154 Moderate CVSSv3 Base Score: 6.5 CVE-2017-11155 Moderate CVSSv3 Base Score: 5.3 Affected Products Photo Station before 6.7.3-3432 and 6.3-2967 Models All Synology models Description CVE-2017-11151 A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action. CVE-2017-11152 Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter. CVE-2017-11153 Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload. CVE-2017-11154 Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter. CVE-2017-11155 An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors. Mitigation None Update Availability To fix the security issues, please go to DSM &gt; Package Center, and update Photo Station to 6.7.3-3432 (6.3-2967 for DSM 5.2 users) or above. ]]>
</description>
<pubDate>Tue, 08 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_34_PhotoStation</guid>
</item>
<item>
<title>Synology-SA-17:37 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_37_Linux_kernel</link>
<description>
<![CDATA[ Abstract CVE-2017-7533 allows local users of a Virtual DSM to obtain privileges or cause a denial of service under a race condition between threads of inotify_handle_event() and vfs_rename() while running the &quot;rename&quot; operation for the same file. Severity Impact: Important CVSS3 Base Score: 7.8 CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products DSM 6.1 Models Virtual DSM Description Race condition in the fsnotify implementation in the Linux kernel through 4.12.4 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that leverages simultaneous execution of the inotify_handle_event and vfs_rename functions, as exploited in the wild in August 2017. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152-3 or above. Reference http://openwall.com/lists/oss-security/2017/08/03/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7533 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9e ]]>
</description>
<pubDate>Mon, 07 Aug 2017 16:17:12 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_37_Linux_kernel</guid>
</item>
<item>
<title>Synology-SA-17:36 SMBLoris</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_36_SMBLoris</link>
<description>
<![CDATA[ Abstract SMBLoris allows remote attackers to cause a DoS attack on the vulnerable NAS. Severity Impact: Important CVSS3 Base Score: 8.2 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Affected Products All DSM versions All SRM versions Models All Synology models Description SMBLoris is a remote and uncredentialed denial of service attack against Microsoft® Windows® operating systems, caused by a 20+ year old vulnerability in the Server Message Block (SMB) network protocol implementation. Mitigation For an immediate workaround, please contact us at security@synology.com. Update Availability Not available yet. Reference https://smbloris.com/ ]]>
</description>
<pubDate>Fri, 04 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_36_SMBLoris</guid>
</item>
<item>
<title>Synology-SA-17:35 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_35_PhotoStation</link>
<description>
<![CDATA[ Abstract Several vulnerabilities have been found in Photo Station: CVE-2017-11161 allows remote attackers to obtain the administrator privileges. CVE-2017-11162 allows remote authenticated attackers to read arbitrary files. CVE-2017-12071 allows remote authenticated attackers to download arbitrary local files. Severity CVE-2017-11161 Impact: Critical CVSS3 Base Score: 9.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2017-11162 Impact: Important CVSS3 Base Score: 6.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2017-12071 Impact: Moderate CVSS3 Base Score: 4.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Products Photo Station before 6.7.4-3433 and 6.3-2968 Models All Synology models Description CVE-2017-11161 Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type parameter to synotheme.php. CVE-2017-11162 Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors. CVE-2017-12071 Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter. Mitigation None Update Availability To fix the security issues, please go to DSM &gt; Package Center and update Photo Station to 6.7.4-3433 (6.3-2968 for DSM 5.2 users) or above. ]]>
</description>
<pubDate>Thu, 03 Aug 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_35_PhotoStation</guid>
</item>
<item>
<title>Synology-SA-17:33 FreeRADIUS</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_33_FreeRADIUS</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities which have been found in FreeRADIUS might allow remote attacker to cause a denial-of-service attack or execute arbitrary code on the vulnerable server. Severity CVE-2017-10978 Moderate CVSSv3 Base Score: 5.9 CVE-2017-10979 Important CVSSv3 Base Score: 8.1 CVE-2017-10980 Important CVSSv3 Base Score: 5.9 CVE-2017-10981 Moderate CVSSv3 Base Score: 5.9 CVE-2017-10982 Moderate CVSSv3 Base Score: 5.9 CVE-2017-10983 Moderate CVSSv3 Base Score: 5.9 CVE-2017-10984 Imporatant CVSSv3 Base Score: 8.1 CVE-2017-10985 Moderate CVSSv3 Base Score: 5.9 CVE-2017-10986 Moderate CVSSv3 Base Score: 5.9 CVE-2017-10987 Moderate CVSSv3 Base Score: 5.9 Affected Products Radius Server 2.2.9-0250 and earlier Radius Server 2.3.5-0113 and earlier Models All Synology models Description CVE-2017-10978 An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows &quot;Read / write overflow in make_secret()&quot; and a denial of service. CVE-2017-10979 An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows &quot;Write overflow in rad_coalesce()&quot; - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code. CVE-2017-10980 An FR-GV-203 issue in FreeRADIUS 2.x before 2.2.10 allows &quot;DHCP - Memory leak in decode_tlv()&quot; and a denial of service. CVE-2017-10981 An FR-GV-204 issue in FreeRADIUS 2.x before 2.2.10 allows &quot;DHCP - Memory leak in fr_dhcp_decode()&quot; and a denial of service. CVE-2017-10982 An FR-GV-205 issue in FreeRADIUS 2.x before 2.2.10 allows &quot;DHCP - Buffer over-read in fr_dhcp_decode_options()&quot; and a denial of service. CVE-2017-10983 An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows &quot;DHCP - Read overflow when decoding option 63&quot; and a denial of service. CVE-2017-10984 An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows &quot;Write overflow in data2vp_wimax()&quot; - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code. CVE-2017-10985 An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows &quot;Infinite loop and memory exhaustion with 'concat' attributes&quot; and a denial of service. CVE-2017-10986 An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows &quot;DHCP - Infinite read in dhcp_attr2vp()&quot; and a denial of service. CVE-2017-10987 An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows &quot;DHCP - Buffer over-read in fr_dhcp_decode_suboptions()&quot; and a denial of service. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Radius Server 2.2.10-0251 or above and Radius Server 2.3.10-0114 or above. Reference http://freeradius.org/security/fuzzer-2017.html http://seclists.org/oss-sec/2017/q3/177 ]]>
</description>
<pubDate>Thu, 20 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_33_FreeRADIUS</guid>
</item>
<item>
<title>Synology-SA-17:32 Node.js</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_32_Nodejs</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities which have been found in Node.js may allow remote attackers to cause a denial of service attack or may result in leaking sensitive information from the vulnerable server. Severity Constant Hashtable Seeds Important CVSSv3 Base Score: N/A http.get with numeric authorization options creates uninitialized buffers Low CVSSv3 Base Score: N/A CVE-2017-1000381 Moderate CVSSv3 Base Score: 6.5 Affected Products Node.js 4.4.8-0163 and below Chat 1.1.1-0902 and below Office 2.2.2-1508 and below Calendar 2.0.0-0241 and below MailPlus 1.3.0-0676 Models All Synology NAS models Description Constant Hashtable Seeds (CVE pending) Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup. Thanks to Jann Horn of Google Project Zero for reporting this vulnerability. http.get with numeric authorization options creates uninitialized buffers Application code that allows the auth field of the options object used with http.get() to be set to a number can result in an uninitialized buffer being created/used as the authentication string. CVE-2017-1000381 - c-ares NAPTR parser out of bounds access The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. Mitigation None Update Availability To fix the security issue, please go to DSM &gt; Package Center and update Node.js to 4.8.4-0164 or above. References https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000381 ]]>
</description>
<pubDate>Tue, 18 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_32_Nodejs</guid>
</item>
<item>
<title>Synology-SA-17:31 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_31_Samba</link>
<description>
<![CDATA[ Abstract CVE-2017-11103 allows attackers who has control of the network between a client and the service to impersonate a Samba service to steal sensitive data. Severity Impact: Important CVSS3 Base Score: 8.1 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products DSM 6.1 DSM 6.0 DSM 5.2 DSM 5.1 SRM 1.1 Models All Synology models Description Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152-1 or above, update DSM 6.0 to 6.0.3-8754-4 or above, update DSM 5.2 to 5.2-5967-4 or above and update SRM 1.1 to1.1.4-6509-03 or above. For DSM 5.1 users, please update to DSM 5.2 (5.2-5967-4) Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993 https://hackerone.com/reports/242831 ]]>
</description>
<pubDate>Fri, 14 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_31_Samba</guid>
</item>
<item>
<title>Synology-SA-17:30 Broadpwn</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_30_Broadpwn</link>
<description>
<![CDATA[ Abstract CVE-2017-9417 could allow remote attackers to cause a denial of service attack or arbitrary code execution on the vulnerable server. To prevent suffering an attack, should ensure that the device is connected to a trusted WiFi network on client mode. Severity Impact: Critical CVSS3 Base Score: 9.8 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products SRM 1.1 Models RT1900ac Description Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitrary code via unspecified vectors, aka the &quot;Broadpwn&quot; issue. Mitigation None Update Availability To fix the security issue, please update SRM 1.1 to 1.1.4-6509-03 or above. Reference http://boosterok.com/blog/broadpwn/ http://boosterok.com/blog/broadpwn2/ http://www.freebuf.com/news/139773.html ]]>
</description>
<pubDate>Fri, 14 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_30_Broadpwn</guid>
</item>
<item>
<title>Synology-SA-17:29 DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_29_DSM</link>
<description>
<![CDATA[ Abstract CVE-2017-9553 may cause user account and password to be stolen under an insecure network. CVE-2017-9554 can allow remote attackers to obtain user information via a brute-force attack. Severity CVE-2017-9553 Impact: Moderate CVSS3 Base Score: 5.9 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-9554 Impact: Moderate CVSS3 Base Score: 4.3 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Affected Products DSM 6.1 DSM 6.0 DSM 5.2 Models All Synology models Description CVE-2017-9553 A design flaw in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows man-in-the-middle attackers to bypass the encryption protection mechanism and obtain cleartext data via unspecified vectors. CVE-2017-9554 An information exposure vulnerability in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. Mitigation Enable Auto Block to protect DSM from suffering a brute-force attack. Go to Control Panel &gt; Security &gt; Account and tick Enable auto block. Adjust the value of Login Attempts and Within (minutes) for your requirements. Press Apply to save the settings. Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152 or above, update DSM 6.0 to 6.0.3-8754-4 or above and update DSM 5.2 to 5.2-5967-04 or above. ]]>
</description>
<pubDate>Fri, 14 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_29_DSM</guid>
</item>
<item>
<title>Synology-SA-17:27 Nginx</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_27_Nginx</link>
<description>
<![CDATA[ Abstract CVE-2017-7529 can allow remote attackers to leak sensitive information from the vulnerable server. Severity Impact: Moderate CVSS3 Base Score: 5.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products DSM 6.1 DSM 6.0 Models All Synology models Description A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak. Mitigation Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service Log in to DSM via SSH as &quot;admin&quot; and execute the following command: sudo /bin/echo &quot;max_ranges 1;&quot; &gt;&gt; /usr/local/etc/nginx/conf.d/main.conf &amp;&amp; sudo reload nginx Remember to remove the mitigation with the following command after upgrading DSM: sudo /usr/bin/sed -i '/max_ranges 1;/d' /usr/local/etc/nginx/conf.d/main.conf Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152 or above and update DSM 6.0 to 6.0.3-8754-4 or above. Reference http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7529 ]]>
</description>
<pubDate>Thu, 13 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_27_Nginx</guid>
</item>
<item>
<title>Synology-SA-17:25 FFmpeg</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_25_FFmpeg</link>
<description>
<![CDATA[ Abstract CVE-2017-9993 allows remote authenticated users to read arbitrary local files via crafted video files. Severity Impact: Moderate CVSS3 Base Score: 7.5 CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products DSM 6.1 DSM 6.0 Video Station before 2.3.2-1454 Models All Synology models Description FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data. Mitigation None Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152 or above, update DSM 6.0 to 6.0.3-8754-4 or above and update Video Station to 2.3.3-1455 or above. Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993 https://hackerone.com/reports/242831 ]]>
</description>
<pubDate>Thu, 06 Jul 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_25_FFmpeg</guid>
</item>
<item>
<title>Synology-SA-17:24 BIND</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_24_BIND</link>
<description>
<![CDATA[ Abstract CVE-2017-3142 allows remote attacker to circumvent TSIG authentication and view the entire contents of a zone on the vulnerable DNS Server. CVE-2017-3143 allows remote attacker to forge a valid signature for a dynamic update and manipulate malicious zone content on the vulnerable DNS Server. Severity Important CVSSv3 Base Score: 7.5 Affected Products DNS Server 2.2.x before 2.2.1-3050, 1.2.x before 1.2.0-0131 and 1.x before 1.1-0301 Models All Synology models Description CVE-2017-3142 An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient accepting bogus NOTIFY packets CVE-2017-3143 An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Mitigation You can follow the steps as below to prevent suffering attack if using TISG authentication in Slave Zone. Creating a new slave zone In Zones tab, press Create button and choose slave zone on the menu. Tick Limit source ip service box and press Source IP List button. Press Create button on the top of region. Choose Single IP host or Subnet. If you chose Single IP host, enter a legal IP address in IP address field. For example, enter 192.168.1.100 if you allow another DNS server 192.168.1.100 to transfer zone to your DNS server If you chose Subnet, enter a legal subnet in IP address field and netmask in Subnet mask. For example, enter 192.168.1.0 in IP address field and 255.255.255.0 in Subnet mask if you allow all DNS servers which in IP range in 192.168.1.0 ~ 192.168.1.255 to transfer zone to your DNS server Repeat step 5 ~ 6 to add legal IP sources. Press OK to save the option, then press finish to close whitelist settings. Press OK to save a new slave zone. Edit an existing slave zone In Zones tab, press Edit button and choose Zone settings on the menu. Follow the step 2 ~ 9 in Creating a new slave zone section. Update Availability To fix the security issue, please go to DSM &gt; Package Center and update DNS Server to 2.2.1-3051 or above. References https://kb.isc.org/article/AA-01504/74/CVE-2017-3142%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-zone-transfers.html https://kb.isc.org/article/AA-01503/74/CVE-2017-3143%3A-An-error-in-TSIG-authentication-can-permit-unauthorized-dynamic-updates.html ]]>
</description>
<pubDate>Fri, 30 Jun 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_24_BIND</guid>
</item>
<item>
<title>Synology-SA-17:23 OpenVPN</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_23_OpenVPN</link>
<description>
<![CDATA[ Abstract CVE-2017-7508 can allow remote attackers to cause a denial of service for either server or client. CVE-2017-7520 can allow man-in-the-middle attackers to steal the password of HTTP proxy server. CVE-2017-7521 can allow remote users to obtain server information from process memory. CVE-2017-7522 does not affect any Synology products. Severity Low CVSSv3 Base Score: N/A Affected Products DSM 6.1 DSM 6.0 SRM 1.1 VPN Server 1.3.5-2761 and earlier VPN Plus Server 1.1.1-1031 and earlier Models All Synology models Description CVE-2017-7508 Correct sanity checks on IPv6 packet length in mss_fixup_ipv6(), and change the ASSERT() check in mss_fixup_dowork() into a simple &quot;return&quot; (= the TCP header will simply not be inspected further). CVE-2017-7520 If clients use a HTTP proxy with NTLM authentication (i.e. &quot;--http-proxy &lt;server&gt; &lt;port&gt; [&lt;authfile&gt;|'auto'|'auto-nct'] ntlm2&quot;), a man-in-the-middle attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password. CVE-2017-7521 Several of our OpenSSL-specific certificate-parsing code paths did not always clear all allocated memory. Since a client can cause a few bytes of memory to be leaked for each connection attempt, a client can cause a server to run out of memory and thereby kill the server. That makes this a (quite inefficient) DoS attack. When using the --x509-alt-username option on openssl builds with an extension (argument prefixed with &quot;ext:&quot;, e.g. &quot;ext:subjectAltName&quot;), the code would not free all allocated memory. Fix this by using the proper free function. CVE-2017-7522 asn1_buf_to_c_string() returned a literal string if the input ASN.1 string contained a NUL character, while the caller expects a mutable string. The caller will attempt to change this string, which allows a client to crash a server by sending a certificate with an embedded NULcharacter. Impact analysis: * applies to mbedtls builds only * introduced in 2.4 (so 2.3 is not affected) * can only be exploited if the --x509-track option is used * requires the CA to sign a certificate with an embedded NUL in the certificate subject Mitigation We are now working on a solution to this vulnerability. For an immediate workaround, please contact us at security@synology.com. Update Availability To fix the security issue, please update DSM 6.0 and DSM 6.1 to 6.2-23739 or above, update SRM 1.1 to 1.2.5-8225 or above, update VPN Server to 1.3.6-2765 or above and update VPN Plus Server to 1.4.0-0529 or above. References https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522 ]]>
</description>
<pubDate>Thu, 22 Jun 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_23_OpenVPN</guid>
</item>
<item>
<title>Synology-SA-17:22 Stack Clash</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_22_Stack_Clash</link>
<description>
<![CDATA[ Abstract The Stack Clash is a vulnerability in the memory management which allows local authenticated users to corrupt memory and obtain full root privileges. The vulnerability has a low impact on x86-64 models. Severity Moderate CVSSv3 Base Score: 7.7 Affected Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models Description CVE-2017-1000364 An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be &quot;jumped&quot; over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). CVE-2017-1000366 glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. Mitigation We are now working on a solution to this vulnerability. For an immediate workaround, please contact us at security@synology.com. Update Availability To fix the security issue, please update DSM 6.1 to 6.1.3-15152-3 or above, update DSM 6.0 to 6.0.3-8754-6 or above, update DSM 5.2 to 5.2-5967-5 or above, and SRM 1.1 to 1.1.5-6542 or above. References https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366 ]]>
</description>
<pubDate>Tue, 20 Jun 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_22_Stack_Clash</guid>
</item>
<item>
<title>Synology-SA-17:21 Photo Station</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_21_Photo_Station</link>
<description>
<![CDATA[ Abstract CVE-2017-9552 has been found in Photo Station and allows local users to obtain sensitive information of other users. Severity Moderate Affected Products Photo Station Models All Synology NAS models Description A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. The CVSS vector of this vulnerability is triaged as CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N by Synology Security Team. Mitigation None Update Availability To fix the security issue, go to DSM &gt; Package Center, and update Photo Station to the latest version (6.7.2-3429). Acknowledgement Synology would like to thank Frédéric Crozat for reporting this issue. ]]>
</description>
<pubDate>Tue, 13 Jun 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_21_Photo_Station</guid>
</item>
<item>
<title>Synology-SA-17:20 SRM</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_20_SRM</link>
<description>
<![CDATA[ Abstract Several vulnerabilities have been found in Traffic Control. These vulnerabilities can allow remote attackers to steal user tokens and log in as the administrator, or allow remote authenticated attackers to access sensitive files on a Synology Router. Severity Important Affected Products SRM 1.1 Models All Synology Router models Description A cross-site scripting (XSS) vulnerability in Traffic Control in Synology Router Manager (SRM) 1.1-6338 through 1.1.4-6509 before 1.1.4-6509-1 allows remote attackers to inject arbitrary web scripts or arbitrary HTML codes persistently via unspecified parameters. An SQL injection vulnerability in Traffic Control in Synology Router Manager (SRM) 1.1-6338 through 1.1.4-6509 before 1.1.4-6509-1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. A directory traversal vulnerability in Traffic Control in Synology Router Manager (SRM) 1.1-6338 through 1.1.4-6509 before 1.1.4-6509-1 allows remote authenticated attackers to read arbitrary files via unspecified parameters. Mitigation None Update Availability To fix the security issues, please go to SRM &gt; Control Panel &gt; System &gt; Update &amp; Restore &gt; SRM Update and install the latest version (1.1.4-6509-1) of SRM. ]]>
</description>
<pubDate>Mon, 12 Jun 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_20_SRM</guid>
</item>
<item>
<title>Synology-SA-17:19 sudo</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_19_sudo</link>
<description>
<![CDATA[ Abstract CVE-2017-1000367 allows local authenticated users with privileges to execute commands via sudo to overwrite arbitrary files and obtain full root privileges. This vulnerability lowly impacts DSM because only the authenticated users in the sudoer list by default are able to switch to root in DSM. Severity Impact: Low Affected Products DSM 6.1 DSM 6.0 Models All Synology models Description A vulnerability was revealed in ttyname.c in sudo versions 1.8.6p7 through 1.8.20 due to the incorrectly parsed tty information from the process status file, which allows local users configured in sudoers to overwrite arbitrary files via a crafted symlink and race condition. Update Availability To fix the security issue, please update DSM 6.2 to 6.2-22259 or above. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367 https://www.sudo.ws/alerts/linux_tty.html http://www.openwall.com/lists/oss-security/2017/05/30/16 ]]>
</description>
<pubDate>Thu, 01 Jun 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_19_sudo</guid>
</item>
<item>
<title>Synology-SA-17:18 Samba</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_18_Samba</link>
<description>
<![CDATA[ Abstract CVE-2017-7494 allows remote authenticated users to upload a shared library to a writable shared folder, and perform code execution attacks to take control of servers that host vulnerable Samba services. Severity Important Affected Products DSM 6.1 DSM 6.0 DSM 5.2 DSM 5.1 DSM 5.0 DSM 4.3 DSM 4.2 DSM 4.1 SRM 1.1 Models All Synology models Description Samba 3.x after 3.5.0 and 4.x before 4.4.14, 4.5.x before 4.5.10, and 4.6.x before 4.6.4 does not restrict the file path when using Windows named pipes, which allows remote authenticated users to upload a shared library to a writable shared folder, and execute arbitrary code via a crafted named pipe. Update Availability Synology has released the updates for affected products: DSM 6.1 update (6.1.1-15101-04) DSM 6.0 update (6.0.3-8754-1) DSM 5.2 update (5.2-5967-3) For DSM 5.1 / 5.0 / 4.3 users, please update to DSM 5.2 (5.2-5967-3). DSM 4.2 update (4.2-3259) For DSM 4.1 users, please update to DSM 4.2 (4.2-3259). SRM 1.1 update (1.1.4-6509-1) Mitigation For an immediate workaround, please contact us at security@synology.com. References https://www.samba.org/samba/security/CVE-2017-7494.html https://access.redhat.com/security/cve/CVE-2017-7494 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7494 ]]>
</description>
<pubDate>Thu, 25 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_18_Samba</guid>
</item>
<item>
<title>Synology-SA-17:17 WannaCry Ransomware</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_17_WannaCry_Ransomware</link>
<description>
<![CDATA[ Abstract WannaCry, a ransomware program targeting Microsoft Windows, does not affect DSM. However, if you have virtual machines running Windows in Virtual Machine Manager, it is highly recommended to install the security update for MS17-010 Severity Not affected Description WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) ransomware attack is targeting Microsoft Windows via remote code execution vulnerabilities that exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. The attack spreads by multiple methods, including phishing emails and on unpatched systems as a computer worm. References https://technet.microsoft.com/en-us/library/security/ms17-010.aspx https://en.wikipedia.org/wiki/WannaCry_ransomware_attack http://thehackernews.com/2017/05/wannacry-ransomware-windows.html ]]>
</description>
<pubDate>Mon, 15 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_17_WannaCry_Ransomware</guid>
</item>
<item>
<title>Synology-SA-17:16 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_16_Linux_kernel</link>
<description>
<![CDATA[ Abstract CVE-2017-7308 contains a heap overflow vulnerability which may be exploited by local users in DDSM to escalate privileges or escape from DDSM. Severity Moderate Affected Products DDSM Models FS3017, FS2017, RS4017xs+, RS18017xs+, RS3617xs+, RS3617xs, RS3617RPxs, DS3617xs, DS1817+, DS1517+, RS18016xs+, RS2416+, RS2416RP+, DS916+, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815+, RS815RP+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS2414+, RS2414RP+, RS814+, RS814RP+, DS2413+, RS10613xs+, RS3413xs+, DS1813+, DS1513+, DS713+, DS3612xs, RS3412xs, RS3412RPxs, RS2212+, RS2212RP+, DS1812+, DS1512+, RS812+, RS812RP+, DS412+, DS712+, DS3611xs, DS2411+, RS3411xs, RS3411RPxs, RS2211+, RS2211RP+, DS1511+, DS411+II, DS411+, DS1010+, RS810+, RS810RP+, DS710+ Description The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls. Mitigation None Update Availability Synology will release a DSM 6.1 update (6.1.1-15101-03) to address this issue in the next few weeks. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308 http://seclists.org/oss-sec/2017/q1/697 https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308 https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html ]]>
</description>
<pubDate>Fri, 12 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_16_Linux_kernel</guid>
</item>
<item>
<title>Synology-SA-17:15 Linux kernel</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_15_Linux_kernel</link>
<description>
<![CDATA[ Abstract CVE-2017-7184 contains a heap overflow vulnerability which may be exploited by local users in DDSM to escalate privileges or escape from DDSM. Severity Moderate Affected Products DDSM Models FS3017, FS2017, RS4017xs+, RS18017xs+, RS3617xs+, RS3617xs, RS3617RPxs, DS3617xs, DS1817+, DS1517+, RS18016xs+, RS2416+, RS2416RP+, DS916+, DS716+II, DS716+, DS216+II, DS216+, RC18015xs+, DS3615xs, DS2415+, DS1815+, DS1515+, RS815+, RS815RP+, DS415+, RS3614xs+, RS3614xs, RS3614RPxs, RS2414+, RS2414RP+, RS814+, RS814RP+, DS2413+, RS10613xs+, RS3413xs+, DS1813+, DS1513+, DS713+, DS3612xs, RS3412xs, RS3412RPxs, RS2212+, RS2212RP+, DS1812+, DS1512+, RS812+, RS812RP+, DS412+, DS712+, DS3611xs, DS2411+, RS3411xs, RS3411RPxs, RS2211+, RS2211RP+, DS1511+, DS411+II, DS411+, DS1010+, RS810+, RS810RP+, DS710+ Description The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Linux kernel through 4.10.6 does not validate certain size data after an XFRM_MSG_NEWAE update, which allows local users to obtain root privileges or cause a denial of service (heap-based out-of-bounds access) by leveraging the CAP_NET_ADMIN capability, as demonstrated during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10 linux-image-* package 4.8.0.41.52. Mitigation None Update Availability Synology will release a DSM 6.1 update (6.1.1-15101-02) to address this issue in the next few weeks. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184 https://blog.trendmicro.com/results-pwn2own-2017-day-one/ https://zhuanlan.zhihu.com/p/26674557?group_id=842807830561034240 ]]>
</description>
<pubDate>Mon, 08 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_15_Linux_kernel</guid>
</item>
<item>
<title>Synology-SA-17:14 NFS</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_14_Linux_NFS</link>
<description>
<![CDATA[ Abstract CVE-2017-7645 could allow remote attackers to perform a denial-of-service (DoS) attack on a vulnerable NFS server and cause a system hang or crash. CVE-2017-7895 could allow remote attackers to read arbitrary memory from both kernel space and user space and leak sensitive information on the server. Severity Moderate Affected Products DSM 6.1 DSM 6.0 Models All Synology NAS models Description CVE-2017-7645 The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. CVE-2017-7895 The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. Mitigation Part 1: Create a rule to allow an IP range or subnet access to NFS service Under Firewall Profile, please select Edit Rules. On the top left corner, click Create to create a new firewall rule. Under Ports, please find Select from a list of built-in applications and click Select to choose an application. Find and check Mac/Linux file server and click OK. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s. Here you may specify an IP range or subnet that you would like to allow access to NFS service. In the example below, NFS access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet. Under Action, please select Allow to allow the specified IP addresses or subnet access to NFS. Once you’ve selected an action, you can click OK. You can now see that this setup will allow NFS access only for IP addresses from 192.168.1.90 to 192.168.1.99. Part 2: Create a rule to deny NFS access to all other IP addresses Please repeat steps 1-4 above. Under Source IP, select All to include all IP addresses. Under Action, please select Deny to block all IP addresses or subnet access to NFS. Click OK when done. After all the steps have been completed, you can see that all IP’s have been denied access to NFS service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's. Update Availability Not available yet. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7895 http://seclists.org/oss-sec/2017/q2/195 http://seclists.org/oss-sec/2017/q2/196 ]]>
</description>
<pubDate>Mon, 08 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_14_Linux_NFS</guid>
</item>
<item>
<title>Synology-SA-17:13 WordPress</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_13_WordPress</link>
<description>
<![CDATA[ Abstract CVE-2017-8295 could allow remote attackers to reset a targeted user’s password using the HTTP header. Severity Moderate Affected Products WordPress 4.7.3-0134 and before Models All Synology models Description WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. Mitigation We are now working on a solution to this vulnerability. For an immediate workaround, please contact us at security@synology.com. Update Availability None References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295 https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html http://www.freebuf.com/vuls/133816.html https://www.exploit-db.com/exploits/41963/ ]]>
</description>
<pubDate>Mon, 08 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_13_WordPress</guid>
</item>
<item>
<title>Synology-SA-17:12 Intel Manageability SKUs</title>
<link>https://www.synology.cn/zh-cn/support/security/Synology_SA_17_12_Intel_Manageability_SKUs</link>
<description>
<![CDATA[ Abstract There is an escalation of privilege vulnerability in Intel manageability firmware that can allow an unprivileged attacker to take full control of the device. All Synology products are not affected because the manageability feature is disabled by default. Severity Not affected Description An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM). An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT). References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&amp;languageid=en-fr https://mjg59.dreamwidth.org/48429.html ]]>
</description>
<pubDate>Fri, 05 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Synology_SA_17_12_Intel_Manageability_SKUs</guid>
</item>
<item>
<title>Important Information Regarding MediaWiki Vulnerability (CVE-2017-0372)</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_MediaWiki_Vulnerability</link>
<description>
<![CDATA[ Abstract CVE-2017-0372 allows remote attackers capable of editing wiki pages with syntax highlighting to perform arbitrary code execution and take control of servers hosting vulnerable MediaWiki services. Severity Important Affected Products MediaWiki version 1.27.1-0119 and before Models All Synology models Description This vulnerability in MediaWiki through 1.27.x before 1.27.3, 1.28.x before 1.28.2 and earlier versions allows remote attackers to execute arbitrary commands via a parameter injection when the SyntaxHighlight extension is enabled. Mitigation Disable SyntaxHighlight extension: Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service Log in to DSM via SSH as “admin” and execute the following command: sudo /usr/bin/sed -i &quot;/wfLoadExtension( 'SyntaxHighlight_GeSHi' );/d&quot; /var/services/web/MediaWiki/LocalSettings.php Update Availability To fix the security issues, please go to DSM &gt; Package Center and install the latest version of MediaWiki to protect your Synology NAS from malicious attacks. References https://www.securify.nl/advisory/SFY20170201/syntaxhighlight_mediawiki_extension_allows_injection_of_arbitrary_pygments_options.html https://phabricator.wikimedia.org/T158689 https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html ]]>
</description>
<pubDate>Wed, 03 May 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_MediaWiki_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding NTP Vulnerability (CVE-2016-9042)</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_NTP_Vulnerability</link>
<description>
<![CDATA[ Abstract CVE-2016-9042 could allow remote attackers to perform a denial-of-service (DoS) attack on the vulnerable NTP server and cause the mechanism of time synchronization to lose effectiveness. Severity Moderate Affected Products DSM 6.1 DSM 6.0 Models All Synology models Description ntpd in NTP on 4.2.8p9 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero. This flaw is due to an incorrect upstream fix of CVE-2015-8138. Mitigation Part 1: Create a rule to allow an IP range or subnet access to NTP service Under Firewall Profile, please select Edit Rules. On the top left corner, click Create to create a new firewall rule. Under Ports, please find Select from a list of build-in applications and click Select to choose an application. Find and check NTP Service and click OK. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s. Here you may specify an IP range or subnet that you would like to allow access to NTP service. In the example below, NTP access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet. Under Action, please select Allow to allow the specified IP addresses or subnet access to NTP. Once you’ve selected an action, you can click OK. You can now see that this setup will allow NTP access only for IP addresses from 192.168.1.90 to 192.168.1.99. Part 2: Create a rule to deny NTP access to all other IP addresses. Please repeat steps 1-4 above. Under Source IP, select All to include all IP addresses. Under Action, please select Deny to block all IP addresses or subnet access to NTP. Click OK when done. After all the steps have been completed, you can see that all IP’s have been denied access to NTP service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's. Update Availability Not available yet References http://support.ntp.org/bin/view/Main/NtpBug3361 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9042 https://www.freebsd.org/security/advisories/FreeBSD-SA-17:03.ntp.asc ]]>
</description>
<pubDate>Tue, 18 Apr 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_NTP_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding Linux kernel Vulnerability (CVE-2016-10229)</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Linux_kernel_Vulnerability</link>
<description>
<![CDATA[ Abstract CVE-2016-10229 may allow remote attackers to create a kernel panic or memory corruption leading to privilege escalation. Severity Critical Affected Products DSM 6.0 Models RS2416RP+, RS2416+, RS18016xs+, DS416slim, DS416j, DS416, DS716+, DS216se, DS216play, DS216j, DS216+, DS216, RC18015xs+, DS3615xs, DS2415+, DS2015xs, DS1815+, DS1515+, DS1515, RS815RP+, RS815+, RS815, DS415play, DS415+, DS715, DS215j, DS215+, DS115j, DS115, RS3614xs+, RS3614xs, RS3614RPxs, RS2414RP+, RS2414+, RS814RP+, RS814+, RS814, DS414slim, DS414j, DS414, RS214, DS214se, DS214play, DS214+, DS214, DS114, DS2413+, RS3413xs+, RS10613xs+, DS1813+, DS1513+, DS413j, DS413, DS713+, DS213j, DS213air, DS213+, DS213, DS3612xs, RS3412xs, RS3412RPxs, RS2212RP+, RS2212+, DS1812+, DS1512+, RS812RP+, RS812+, RS812, DS412+, RS212, DS712+, DS212j, DS212+, DS212, DS112j, DS112+, DS112, DS3611xs, DS2411+, RS3411xs, RS3411RPxs, RS2211RP+, RS2211+, DS1511+, RS411, DS411slim, DS411j, DS411+II, DS411+, DS411, DS211j, DS211+, DS211, DS111 Description udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. Mitigation None Update Availability Synology will release a DSM 6.0 update (6.0.2-8451-11) to address this issue in the next few days. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 https://securityaffairs.co/wordpress/57998/hacking/cve-2016-10229-linux.html https://access.redhat.com/security/cve/cve-2016-10229 ]]>
</description>
<pubDate>Mon, 17 Apr 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Linux_kernel_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding Samba Vulnerability (CVE-2017-2619)</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Samba_Vulnerability</link>
<description>
<![CDATA[ Abstract CVE-2017-2619 allows remote attackers to read arbitrary files on the vulnerable Samba server in rare situations. **Severity** Low **Affected** Products DSM 6.1 DSM 6.0 DSM 5.2 SRM 1.1 Models All Synology models **Description** A time-of-check, time-of-use race condition in Samba 4.6.x before 4.6.1, 4.5.x before 4.5.7, 4.4.x before 4.4.12 allows clients to access non-exported data of the file system via symlinks. **Mitigation** Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service Log in to DSM via SSH as “admin” and execute the following command: &lt;pre&gt;sudo /usr/bin/sed -i '/\[global\]/a \\tunix extensions=no' /etc/samba/smb.conf &amp;&amp; /usr/sbin/restart smbd&lt;/pre&gt; Do not share any folders via NFS service if the folder has been shared via SMB service. **Update Availability** Not available yet. **References** https://www.samba.org/samba/security/CVE-2017-2619.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2619.html https://security-tracker.debian.org/tracker/CVE-2017-2619 https://bugzilla.redhat.com/show_bug.cgi?id=1429472 ]]>
</description>
<pubDate>Fri, 24 Mar 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Samba_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding Photo Station Vulnerability</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Photo_Station_Vulnerability</link>
<description>
<![CDATA[ Abstract A reflected XSS vulnerability is found in Photo Station that allows attackers to inject client-side scripts into web pages viewed by other users. Severity Low Affected Products Photo Station earlier than 6.7.0-3414 Models All Synology models Description Photo Station earlier than 6.7.0-3414 does not escape special characters in image parameters, allowing remote attackers to conduct reflected cross-site scripting (XSS) attacks via the modified parameters in an HTTP URL. Mitigation DSM 6.0 &amp; DSM 6.1 Go to Control Panel &gt; Security &gt; Security, and select Improve security with HTTP Content Security Policy (CSP) header. Update Availability To fix the security issue, go to DSM &gt; Package Center, and update Photo Station to the latest version (6.7.0-3414) to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Fri, 24 Mar 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Photo_Station_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding Moodle Vulnerability (CVE-2017-2641)</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Moodle_Vulnerability</link>
<description>
<![CDATA[ Abstract CVE-2017-2641 allows authenticated remote attackers to execute arbitrary code and take control of servers that host vulnerable Moodle services. Severity Important Affected Products Moodle version 3.1.2-0116 and before Models All Synology models Description The Block component in Moodle through 3.2.x before 3.2.2, 3.1.x before 3.1.5, 3.0.x before 3.0.9 and before 2.7.19 allows ordinary registered users to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with crafted AJAX arguments. Mitigation Log in with the “admin” account and switch to the role of administrator. 2. Go to Dashboard > Site administration > Plugins > Authentication > Manage authentication and disable Self registration in the Common settings section. Update Availability To fix the security issues, please go to DSM &gt; Package Center and install the latest version of Moodle to protect your Synology NAS from malicious attacks. References http://netanelrub.in/2017/03/20/moodle-remote-code-execution/ https://moodle.org/mod/forum/discuss.php?d=349419#p1409805 ]]>
</description>
<pubDate>Wed, 22 Mar 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_Regarding_Moodle_Vulnerability</guid>
</item>
<item>
<title>Important Information about the Auto Block function in DSM</title>
<link>https://www.synology.cn/zh-cn/support/security/AutoBlock</link>
<description>
<![CDATA[ Abstract A vulnerability was reported on the Auto Block function in DSM that allowed remote attackers to bypass the current IP blocking mechanism via a crafted X-Forwarded-For (XFF) header. Severity Important Affected Product DSM 6.1 Models All Synology models Mitigation Synology is about to provide an update for resolution. Before it is available, we strongly suggest you execute the following policies for enhanced security: Disable admin account. Use a more complex password. See the recommended changes on your password: The password length must be at least 8 characters. The password should not contain identical character sequences as in the username or account description. The password must contain both uppercase and lowercase characters. The password must contain at least one numeric character and special character. Enable 2-step verification (available at Options &gt; Personal). Set up firewall rules to allow only identifiable IP addresses to access services running on your Synology NAS. Update Availability The update for DSM 6.1 is available for download at the following link. DSM 6.1-15047 Update 1: https://usdl.synology.com/download/DSM/criticalupdate/update_pack/15047-1/ ]]>
</description>
<pubDate>Fri, 24 Feb 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/AutoBlock</guid>
</item>
<item>
<title>Multiple Vulnerabilities in tcpdump</title>
<link>https://www.synology.cn/zh-cn/support/security/Multiple_Vulnerabilities_in_tcpdump</link>
<description>
<![CDATA[ Abstract Multiple security vulnerabilities have been found in tcpdump, a command-line network traffic analyzer. These vulnerabilities could allow denial of service or arbitrary code execution that could directly affect system availability. Severity Moderate Affected Products DSM 6.1 DSM 6.0 DSM 5.2 Models DS213+ DS413 Description A remote attacker could send specially crafted data to crash the tcpdump network dissector or to execute arbitrary codes. This vulnerability could only affect DS213+ and DS413 models with system hibernation enabled. The addressed vulnerabilities are listed below: CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486 Mitigation For administrators of DS213+ and DS413 models: Go to Control Panel &gt; Hardware &amp; Power &gt; HDD Hibernation. 2. Disable the Start system hibernation 60 seconds after HDD enters hibernation option. Update Availability Synology will release a DSM 6.1.1 update to address this issue in the comming weeks. References https://www.debian.org/security/2017/dsa-3775 https://isc.sans.edu/diary/Multiple+Vulnerabilities+in+tcpdump/22017 http://www.securitytracker.com/id/1037755 ]]>
</description>
<pubDate>Fri, 17 Feb 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Multiple_Vulnerabilities_in_tcpdump</guid>
</item>
<item>
<title>Precaution for a Potential SMB Vulnerability</title>
<link>https://www.synology.cn/zh-cn/support/security/Precaution_for_a_PotentialSMBVulnerability</link>
<description>
<![CDATA[ Description Legacy Server Message Block (SMB) v1 protocol could allow a remote attacker to obtain sensitive information from affected systems. Severity Moderate Mitigation Option 1: Disable SMB v1 protocol DSM 6.1 Go to Control Panel &gt; File Service &gt; SMB &gt; Advanced Settings and set Minimum SMB protocol as SMB2 . DSM 6.0 Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service. Log into DSM via SSH as “admin” and execute the following command: sudo /usr/bin/sed -i '/\[global\]/a min protocol=SMB2\nmax protocol=SMB2' /etc/samba/smb.conf && sudo /usr/sbin/restart smbd DSM 5.2 &amp; SRM Go to Control Panel &gt; Applications &gt; Terminal &amp; SNMP and tick Enable SSH service. Log into DSM via SSH as “root” and execute the following command: /bin/sed -i '/\[global\]/a min protocol=SMB2\nmax protocol=SMB2' /etc/samba/smb.conf && /sbin/restart smbd Note: Executing the commands above will automatically change both the maximum and minimum SMB protocols to SMB2. If needed, the maximum SMB protocol can be modified in Control Panel. Executing the commands above will restart the smb service and stop all current SMB connections and file transfers. Certain client programs support SMB1 only, such as mount.cifs and older versions of Windows. These client programs will be disconnected once SMB1 support is turned off. Since CIFS plain text password authentication (in LDAP settings) supports SMB1 only, it will become invalid once you make the changes mentioned above. Option 2: Turn off SMB ports via firewall Part 1: Create a rule to allow an IP range or subnet access to SMB file service Under Firewall Profile, please select Edit Rules. On the top left corner, click Create to create a new firewall rule. Under Ports, please find Select from a list of build-in applications and click Select to choose an application. Find and check Windows file server and click OK. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s. Here you may specify an IP range or subnet that you would like to allow access to SMB file service. In the example below, SMB access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet. Under Action, please select Allow to allow the specified IP addresses or subnet access to SMB. Once you’ve selected an action, you can click OK. You can now see that this setup will allow SMB access only for IP addresses from 192.168.1.90 to 192.168.1.99. Part 2: Create a rule to deny SMB access to all other IPs Repeat steps 1-4 above in Part 1 “Create a rule to allow an IP range or subnet access to SMB file service.” Under Source IP, select All to include all IP addresses. Please repeat steps 1-4 above. Under Source IP, select All to include all IP addresses. Under Action, please select Deny to block all IP addresses or subnet access to SMB. Click OK when done. After all the steps have been completed, you can see that all IP’s have been denied access to SMB file service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's. When creating firewall rules in SRM, it is required to specify the Destination IP as SRM. Update Availability Not available yet. References https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices http://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/ ]]>
</description>
<pubDate>Thu, 26 Jan 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Precaution_for_a_PotentialSMBVulnerability</guid>
</item>
<item>
<title>Important Information Regarding PHP 7.0 Vulnerability (CVE-2017-5340)</title>
<link>https://www.synology.cn/zh-cn/support/security/PHP70_Vulnerability_CVEZ_2017_5340</link>
<description>
<![CDATA[ Description A security vulnerability regarding PHP (CVE-2017-5340) has been identified which allows remote attackers to execute arbitrary code or cause a denial of service via object injection. Severity Important Update Availability To fix the security issues, please go to DSM &gt; Package Center, install the latest version 7.0.15-0019 of PHP 7.0 to protect your Synology NAS from malicious attacks. **References** https://bugs.php.net/bug.php?id=73832 https://security.archlinux.org/CVE-2017-5340 https://cxsecurity.com/cveshow/CVE-2017-5340 ]]>
</description>
<pubDate>Mon, 23 Jan 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/PHP70_Vulnerability_CVEZ_2017_5340</guid>
</item>
<item>
<title>Important Information Regarding PHPMailer Vulnerability (CVE-2017-5223) </title>
<link>https://www.synology.cn/zh-cn/support/security/PHPMailer_2017_5223</link>
<description>
<![CDATA[ Description PHPMailer (for DSM) is reported to have a local file disclosure vulnerability (CVE-2017-5223). This vulnerability will have malformed mails sent to attackers and allow them to download arbitrary files on DSM. Synology is now working on the upcoming DSM 6.0 and DSM 6.1 updates to address this issue. **Severity** Important Resolution To fix the security issue, please go to DSM &gt; Package Center and update the following package to the latest version for optimal protection: Photo Station 6.6.3-3347 **Update Availability** Synology will release a DSM 6.0 update (6.0.2-8451-9,6.0.2-8575-03 for FS3017) and SRM 1.1.3 - 6447 Update 1 to address this issue in the coming week. **References** http://www.freebuf.com/vuls/124820.html https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md ]]>
</description>
<pubDate>Wed, 18 Jan 2017 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/PHPMailer_2017_5223</guid>
</item>
<item>
<title>Important Information Regarding PHPMailer Vulnerability (CVE-2016-10033)</title>
<link>https://www.synology.cn/zh-cn/support/security/PHPMailer_Vulnerability</link>
<description>
<![CDATA[ Description A PHPMailer vulnerability (CVE-2016-10033) in which remote code execution could be performed via command injection has been revealed. However, after further investigation, it has been confirmed that Synology NAS is not affected because we do not employ vulnerable implementation of PHPMailer. For precautionary purposes, Synology is now working on a DSM 6.0 update to address this issue. Severity Low Update Availability Synology will release a DSM 6.0 update (6.0.2-8451-8) and SRM 1.1.3 to address this issue in the coming weeks. References https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://github.com/opsxcq/exploit-CVE-2016-10033 https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc ]]>
</description>
<pubDate>Wed, 28 Dec 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/PHPMailer_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding Roundcube Vulnerability (CVE-2016-9920)</title>
<link>https://www.synology.cn/zh-cn/support/security/Roundcube_Vulnerability</link>
<description>
<![CDATA[ Description A vulnerability of Roundcube (CVE-2016-9920) has been revealed where remote code execution could be performed via command injection. However, after further investigation, it has been confirmed that Synology NAS will remain unaffected as long as no manual modification was made to the configuration file of Mail Station. For precautionary purposes, a newer version of Mail Station will be released to address this issue. Severity Low Update Availability Synology will release a Mail Station update to address this issue in the coming weeks. References https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ ]]>
</description>
<pubDate>Fri, 09 Dec 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Roundcube_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding ImageMagick Vulnerability (CVE-2016-8707)</title>
<link>https://www.synology.cn/zh-cn/support/security/ImageMagick_Vulnerability</link>
<description>
<![CDATA[ Description A buffer overflow issue that led to a security vulnerability in ImageMagick was found. Unprivileged local users could exploit this vulnerability to trigger root remote code execution by uploading a crafted TIFF file. Severity Important Update Availability Synology will release a DSM 6.0 update (6.0.2-8451-6) to address this issue in the coming weeks. Mitigation DSM Go to Control Panel > Applications > Terminal & SNMP and tick ""Enable SSH service."" Log into DSM via SSH as “admin” or “root” and execute the following command: For DSM 6.0: $ sudo sed -i &quot;\$i &lt;policy domain=\&quot;coder\&quot; rights=\&quot;none\&quot; pattern=\&quot;TIFF\&quot; /&gt;&quot; /usr/bin/ImageMagick-6/policy.xml For DSM 5.2-5967 Update 1 or later versions of DSM 5.2: # sed -i &quot;\$i &lt;policy domain=\&quot;coder\&quot; rights=\&quot;none\&quot; pattern=\&quot;TIFF\&quot; /&gt;&quot; /usr/bin/ImageMagick-6/policy.xml SRM Go to Control Panel > Services > System Services > Terminal and tick ""Enable SSH service."" Log into SRM via SSH as “root” and execute the following command: # sed -i &quot;\$i &lt;policy domain=\&quot;coder\&quot; rights=\&quot;none\&quot; pattern=\&quot;TIFF\&quot; /&gt;&quot; /usr/bin/ImageMagick-6/policy.xml Since the mitigation mentioned above may cause errors in the results of Security Advisor in DSM, we recommend installing DSM 6.0.2-8451-6 and SRM 1.1.2-6425-2 to fix this issue. References http://blog.talosintel.com/2016/12/ImageMagick-Tiff-out-of-Bounds.html http://www.talosintelligence.com/reports/TALOS-2016-0216 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8655.html https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c ]]>
</description>
<pubDate>Fri, 09 Dec 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/ImageMagick_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding Linux Kernel Vulnerability (CVE-2016-8655)</title>
<link>https://www.synology.cn/zh-cn/support/security/Linux_Kernel_Vulnerability</link>
<description>
<![CDATA[ Description A race condition issue that led to a use-after-free (UAF) vulnerability was found in the networking subsystem of Linux kernel. Unprivileged local users could use this vulnerability to elevate their privileges in the system to trigger unpredictable attacks. Severity Important Update Availability Synology will release a DSM 6.0 update (6.0.2-8451-6) and SRM update (1.1.2-6425-2) to address this issue in the coming weeks. References http://seclists.org/oss-sec/2016/q4/607 https://access.redhat.com/security/cve/CVE-2016-8655 https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-8655.html https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c ]]>
</description>
<pubDate>Wed, 07 Dec 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Linux_Kernel_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding PHP Vulnerability (CVE-2016-7124)</title>
<link>https://www.synology.cn/zh-cn/support/security/PHP_Vulnerability</link>
<description>
<![CDATA[ Description A security vulnerability regarding PHP (CVE-2016-7124) has been identified where remote attackers can perform different kinds of malicious attacks or have other unspecified impacts via object injection. Severity Important Resolution To fix the security issue, please go to DSM > Package Center and update the following packages to the latest version to protect your Synology NAS from malicious attacks: PHP 5.6 PHP 7.0 phpMyAdmin SugarCRM Update Availability Synology will provide the latest version of the following packages in Package Center. Available from December 2: PHP 5.6.28 PHP 7.0.13 Available from December 5: phpMyAdmin 4.6.5 SugarCRM 6.5.24 References https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7124 https://www.sugarcrm.com/security/sugarcrm-sa-2016-008 https://www.phpmyadmin.net/security/PMASA-2016-70 https://bugs.php.net/bug.php?id=72663 https://www.owasp.org/index.php/PHP_Object_Injection ]]>
</description>
<pubDate>Fri, 02 Dec 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/PHP_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding NTP Vulnerability (CVE-2016-9310)</title>
<link>https://www.synology.cn/zh-cn/support/security/NTP_Vulnerability</link>
<description>
<![CDATA[ Description A security vulnerability regarding the NTP service (CVE-2016-9310) has been identified where an unauthenticated remote attacker can bypass the legitimate monitoring and trigger DDoS (Distributed Denial of Service) attacks. Even though the impact caused by this vulnerability on Synology NAS is limited, Synology is now working on a DSM 6.0 update to address this vulnerability for precautionary purposes. Severity Low Summary Synology's default configuration of NTP service is not vulnerable to CVE-2016-9310. Mitigation Enable the firewall to allow NTP traffic for trusted devices only. Update Availability Synology will release a DSM 6.0 update (6.0.2-8451-5) to address this issue in the coming weeks. References http://support.ntp.org/bin/view/Main/NtpBug3118 http://bugs.ntp.org/show_bug.cgi?id=3118 https://www.kb.cert.org/vuls/id/633847 https://thehackernews.com/2016/11/ntp-server-vulnerability.html ]]>
</description>
<pubDate>Fri, 25 Nov 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/NTP_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding MariaDB Vulnerability (CVE-2016-6664)</title>
<link>https://www.synology.cn/zh-cn/support/security/MariaDB</link>
<description>
<![CDATA[ Description The root privilege escalation vulnerability could be triggered by the symlink attack, leading to remote root code execution via the MariaDB vulnerability (CVE-2016-6664). For precautionary purposes, we strongly recommend you upgrade the MariaDB package to version 5.5.52 to mitigate this vulnerability first, and another version will be released soon to address this issue. Severity Low Update Availability To fix the security issues, please go to DSM > Package Center, upgrade to MariaDB 5.5.52 to mitigate CVE-2016-6664 first to protect your Synology NAS from malicious attacks. References https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html ]]>
</description>
<pubDate>Fri, 04 Nov 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/MariaDB</guid>
</item>
<item>
<title>Important Information Regarding Sweet32 Vulnerability (CVE-2016-2183)</title>
<link>https://www.synology.cn/zh-cn/support/security/Sweet32</link>
<description>
<![CDATA[ Description The DES/3DES ciphers, widely used in TLS, SSH, IPSec and other protocols, have become more vulnerable due to the rapid growth of technology today. Since this vulnerability is not caused by a flaw in the design but the encryption algorithm being not strong enough to handle the current technology, the only way to mitigate the issue is to disable these ciphers in related modules. Severity Medium Mitigation DSM 6.0 Control Panel > Security > Advanced > TLS / SSL Cipher Suites > Modern compatibility DSM 5.2 Login via SSH # /bin/sed -i 's,SSLCipherSuite .*,SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256,' /etc/httpd/conf/extra/httpd-ssl.conf-cipher # /sbin/restart httpd-sys # /sbin/restart httpd-user OpenVPN server Login via SSH # /bin/echo """"cipher AES-256-CBC"""" >> /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf # /bin/echo """"cipher AES-256-CBC"""" >> /var/packages/VPNCenter/target/etc/openvpn/keys/openvpn.ovpn # /var/packages/VPNCenter/target/scripts/openvpn.sh restart After configuring OpenVPN server, you should export the configuration settings (.ovpn) and re-configure the client. MailPlus Execute the following scripts under SSH mode Download the two scripts from here: CVE-2016-2183_Mitigation_MailPlus-Server.shSHA-256:CB43DA2CF1B11C87AA662809BA40E94D350027C3C25676FFEB4F0E86A7B15FF7 CVE-2016-2183_Mitigation_MailServer.shSHA-256:A43BAE132C9338B4EACC9C4C9A8646A06E136197AB1191FE10F85E09CA932802 The above settings should be re-applied whenever the re-installation or upgrade is done. ]]>
</description>
<pubDate>Wed, 02 Nov 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Sweet32</guid>
</item>
<item>
<title>Important Information Regarding Linux Kernel Vulnerability (CVE-2016-5195, a.k.a. Dirty CoW)</title>
<link>https://www.synology.cn/zh-cn/support/security/Linux_Kernel</link>
<description>
<![CDATA[ Description A long-existing Linux kernel vulnerability was revealed last week. The vulnerability contains a race condition found in the way Linux kernel handles copy-on-write mechanism, which may be exploited by unprivileged local users to increase their privileges. Severity Important Update Availability Synology will release DSM 6.0 update to address this issue in the coming weeks. References https://access.redhat.com/security/vulnerabilities/2706661 https://access.redhat.com/security/cve/CVE-2016-5195 http://dirtycow.ninja/ https://git.kernel.org/linus/19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 ]]>
</description>
<pubDate>Wed, 02 Nov 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Linux_Kernel</guid>
</item>
<item>
<title>Important Information Regarding Joomla Vulnerability (CVE-2016-8869 and CVE-2016-8870)</title>
<link>https://www.synology.cn/zh-cn/support/security/Joomla</link>
<description>
<![CDATA[ Description Two vulnerabilities of Joomla (CVE-2016-8869 and CVE-2016-8870) that allow remote users to increase their privileges and create accounts on any Joomla site have been revealed. Severity Critical Update Availability To fix the security issues, please go to DSM > Package Center, install the latest version 3.6.4 of Joomla to protect your Synology NAS from malicious attacks. References https://www.joomla.org/announcements/release-news/5678-joomla-3-6-4-released.html https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html http://thehackernews.com/2016/10/joomla-security-update.html ]]>
</description>
<pubDate>Wed, 02 Nov 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Joomla</guid>
</item>
<item>
<title>Important Information Regarding OpenSSL Vulnerability (CVE-2016-7052, CVE-2016-6304)</title>
<link>https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerability</link>
<description>
<![CDATA[ Description Two vulnerabilities regarding OpenSSL were revealed (CVE-2016-7052 and CVE-2016-6304). The vulnerability CVE-2016-7052 resulted from a CRL sanity check which was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i, while the other vulnerability CVE-2016-6304 allowed malicious clients to send an excessively large OCSP Status Request extension, leading to a Denial Of Service attack through memory exhaustion. After the initial investigation, Synology has concluded that DSM itself is not affected by these vulnerabilities. However, for precautionary purposes, a newer version of OpenSSL has been released to address this issue. Severity Moderate Update Availability To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install  DSM 6.0.2-8451 Update 2 or above to protect your Synology NAS from malicious attack. References https://www.openssl.org/news/secadv/20160922.txt https://github.com/openssl/openssl/commit/e408c09bbf7c3057bda4b8d20bec1b3a7771c15b ]]>
</description>
<pubDate>Fri, 28 Oct 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerability</guid>
</item>
<item>
<title>Important Information Regarding MariaDB Vulnerability (CVE-2016-6662)</title>
<link>https://www.synology.cn/zh-cn/support/security/MariaDB_Vulnerability</link>
<description>
<![CDATA[ Description A vulnerability of MariaDB (CVE-2016-6662) has been revealed that the remote code execution can be performed via SQL injection. However, after further investigation, it has been confirmed that Synology NAS is not affected by this vulnerability because of its strict permission control design. Synology NAS will remain unaffected as long as no manual modification was done to the configuration file of MariaDB. However, for precautionary purposes, a newer version of MariaDB has been released to address this issue. Severity Low Update Availability To fix the security issues, please go to DSM > Package Center, install the latest version 5.5.52 of MariaDB to protect your Synology NAS from malicious attacks. References http://seclists.org/oss-sec/2016/q3/481 http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html https://jira.mariadb.org/browse/MDEV-10465 https://www.percona.com/blog/2016/09/12/percona-server-critical-update-cve-2016-6662/ ]]>
</description>
<pubDate>Fri, 23 Sep 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/MariaDB_Vulnerability</guid>
</item>
<item>
<title>Photo Station 6.5.3-3226</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_6_5_3_3226</link>
<description>
<![CDATA[ Description Photo Station version 6.5.3-3226 includes the security fixes to address the following security vulnerabilities: One vulnerability that allows an attacker to execute command injection attacks. (CVE-2016-10329) One vulnerability that allows an attacker to copy files via unauthorized access. (CVE-2016-10330) One vulnerability that allows an attacker to download files via unauthorized access. (CVE-2016-10331) Resolution To fix these security issues, please go to DSM > Package Center, install the latest version 6.5.3-3226 of Photo Station package to protect your Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.3-2965 of Photo Station package to protect your Synology NAS from malicious attacks: DS110j, DS210j, DS410j, DS410, DS110+, DS210+, DS710+, DS1010+, RS810+, and RS810RP+ For the following models, please go to DSM > Package Center, install the latest version 6.0-2640 of Photo Station package to protect your Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, and RS409RP+ ]]>
</description>
<pubDate>Wed, 03 Aug 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_6_5_3_3226</guid>
</item>
<item>
<title>Important Information about "libupnp: write files via POST" (CVE-2016-6255)</title>
<link>https://www.synology.cn/zh-cn/support/security/libupnp_CVE_2016_6255</link>
<description>
<![CDATA[ Description On July 18th, a vulnerability regarding libupnp was discovered. This vulnerability results in unauthorized file transfer from/to the system when UPnP-related services are running. Affected products and features include: All DSM versions prior to DSM 6.0.1-2 Control Panel > External Access > Router Configuration QuickConnect USB Wi-Fi dongles installed for hotspots Any other UPnP-related packages Audio Station Video Station Media Server Download Station Severity Critical Mitigation Please configure firewall settings and allow UPnP access for trusted network only. Update Availability Synology has released DSM 6.0.1-2 to address the issue. References https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd ]]>
</description>
<pubDate>Mon, 18 Jul 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/libupnp_CVE_2016_6255</guid>
</item>
<item>
<title>Important Information about HTTPoxy Vulnerability (CVE-2016-5387)</title>
<link>https://www.synology.cn/zh-cn/support/security/HTTPoxy_Vulnerability</link>
<description>
<![CDATA[ Description On July 18th, a vulnerability named “HTTPoxy” was announced. This vulnerability is affecting server-side web applications running CGI. After the initial investigation, Synology has concluded that DSM itself is not affected by this vulnerability as the parameters HTTP_PROXY and HTTP_PROXY_* are not used. Severity Medium. Mitigation Even though DSM itself is free from this vulnerability, some open source modules such as PHP and Python might be affected. In order to avoid potential MITM attacks, it is highly recommended you always use HTTPS for the connections established between the clients and DSM. Update Availability Synology will update the affected packages once the patches are released by their open source teams. References https://httpoxy.org/ ]]>
</description>
<pubDate>Mon, 18 Jul 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/HTTPoxy_Vulnerability</guid>
</item>
<item>
<title>Important Information about NTP Vulnerabilities (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956)</title>
<link>https://www.synology.cn/zh-cn/support/security/Important_Information_about_NTP_Vulnerabilities</link>
<description>
<![CDATA[ Description Multiple security vulnerabilities regarding the NTP module were announced on June 2, 2016 (CVE-2016-4957, CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, and CVE-2016-4956). Results of the initial investigation showed that the flaw of NTP could cause ntpd to crash and can be used to amplify distributed denial-of-service (DDoS) attacks. Even though the impact caused by these vulnerabilities on Synology NAS is limited, Synology is now working on DSM 6.0 updates to address these vulnerabilities for precautionary purposes. A Synology NAS that is not synchronized with an NTP server or that has NTP service disabled will not be affected. Mitigation Before the update is released, the concerned users may refer to the following steps to mitigate the impact of this vulnerability: Go to Control Panel &gt; Regional Option &gt; Time. Under Time Setting, select “Manually” rather than “Synchronize with NTP server”. Switch to the NTP Service tab and make sure that the “Enable NTP Service” option is NOT ticked. Update availability Synology is working on the update addressing these vulnerabilities and will release the patch for DSM 6.0 shortly. Reference http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi https://lists.archlinux.org/pipermail/arch-security/2016-June/000639.html https://www.freebsd.org/security/advisories/FreeBSD-SA-16:24.ntp.asc ]]>
</description>
<pubDate>Wed, 08 Jun 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Important_Information_about_NTP_Vulnerabilities</guid>
</item>
<item>
<title>Important Information about OpenSSL Vulnerabilities (CVE-2016-2107 and CVE-2016-2108)</title>
<link>https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerabilities</link>
<description>
<![CDATA[ Description On 3rd of May, two high-severity vulnerabilities regarding OpenSSL were revealed (CVE-2016-2107 and CVE-2016-2108). After the initial investigation, it has been confirmed that these two vulnerabilities have no direct impact on Synology NAS, and the number of models affected by CVE-2016-2107 is limited. However, for precautionary purposes, Synology is working on DSM 6.0 and DSM 5.2 updates addressing these two vulnerabilities. Update availability The patch for addressing these OpenSSL vulnerabilities will be available for DSM 6.0 this week and for DSM 5.2 in the coming week. ]]>
</description>
<pubDate>Wed, 04 May 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/OpenSSL_Vulnerabilities</guid>
</item>
<item>
<title>Important Information about Samba Badlock Vulnerability</title>
<link>https://www.synology.cn/zh-cn/support/security/Badlock</link>
<description>
<![CDATA[ Description On 12th of April, badlock.org disclosed a series of vulnerabilities along with the previously announced Samba Badlock vulnerability (CVE-2016-2118). Samba is an open-source interoperability software suite that provides file and print services to SMB/CIFS clients. In addition to Windows, Samba (version 4.1) also runs on Synology DSM. Details Along with the most concerned Samba Badlock vulnerability (CVE-2016-2118), multiple related CVEs were revealed on badlock.org with different CVSS scores in terms of degrees of severity. After the initial investigation, we would like to provide the following updates for each vulnerability. CVE-2016-2118: This vulnerability, also known as Badlock, has been addressed by backporting the patch from open source Samba to Samba that runs on Synology DSM. The update is available for DSM 5.2 and DSM 6.0. CVE-2015-5370, CVE-2016-2110, CVE-2016-2112, CVE-2016-2114, CVE-2016-2115: Considering the lower level of severity and the complexity of the issue, these vulnerabilities will be fixed in the upcoming updates for DSM 5.2 and DSM 6.0. CVE-2016-2111, CVE-2016-2113: The patch is not necessary for Synology DSM as the functions of Domain Server are not supported. Update availability Patches for addressing the Badlock vulnerability are available for DSM 5.2 and DSM 6.0. To fix this issue, please go to DSM &gt; Control Panel &gt; Update &amp; Restore &gt; DSM Update, and install DSM 5.2-5644 Update 8 if your are using DSM 5.2, or DSM 6.0-7321 Update 1 if you are using DSM 6.0. The patches to address the relevant vulnerabilities will be available in the upcoming updates. Network Security Advice SMB is a widely used file protocol in most business environments and also in the home. Restricting unnecessary access to this file service is an important step in increasing network security. To better secure your network, only necessary file services should be enabled for access while unnecessary ones should be denied. If you know the IP range or subnet that is required to access SMB, you may refer to the following instructions to set up firewall rules for the IP range or subnet: To begin, please make sure that your firewall is enabled. In Control Panel &gt; Security &gt; Firewall, please make sure that Enable firewall has been checked. Here, we can create a new firewall profile or edit an existing profile. Please follow the instructions below on how to allow access from a specific range of IP’s while denying unnecessary access from the rest. First, create a rule to allow an IP range or subnet access to SMB file service. Under Firewall Profile, please select Edit Rules. On the top left corner, click Create to create a new firewall rule. Under Ports, please find Select from a list of build-in applications and click Select to choose an application. Find and check Windows file server and click OK. Under Source IP, please select Specific IP and click Select on the right. You can also select All if you would like to select all IP’s. Here you may specify an IP range or subnet that you would like to allow access to SMB file service. In the example below, SMB access is only allowed for IP addresses between 192.168.1.90 and 192.168.1.99. Click OK once you have specified the IP address or subnet. Under Action, please select Allow to allow the specified IP addresses or subnet access to SMB. Once you’ve selected an action, you can click OK. You can now see that this setup will allow SMB access only for IP addresses from 192.168.1.90 to 192.168.1.99. Now that the allowed IP’s have been set, you must now deny access to all other IP’s. Please follow the steps below to create a rule to deny unnecessary access to SMB file service. Please repeat steps 1-4 above. Under Source IP, select All to include all IP addresses. Under Action, please select Deny to block all IP addresses or subnet access to SMB. Click OK when done. After all the steps have been completed, you can see that all IP’s have been denied access to SMB file service, except for IP’s ranging from 192.168.1.90 to 192.168.1.99. Please note that the rule of allowed IP’s must be specified before blocking all IP's. ]]>
</description>
<pubDate>Fri, 15 Apr 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Badlock</guid>
</item>
<item>
<title>DSM 5.2-5644 Update 5</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5644_update_5</link>
<description>
<![CDATA[ Description DSM 5.2-5644 Update 5 includes a Firewall filter policy update to fix a security vulnerability caused by stack-based buffer overflow (CVE-2015-7547). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5644 Update 5 or above to protect your Synology NAS from malicious attacks. Note This workaround can effectively prevent Synology NAS from this vulnerability. However, this fix may impact read/write performance on the following models by no more than 15%, for which Synology is working on an enhancement in the future release. 16-series: DS216se 15-series: DS115j 14-series: EDS14, DS114, DS214se, RS214, DS414slim 13-series: DS213j, DS213air, DS213, DS413j 12-series: DS112, DS112+, DS112j, DS212, DS212j, DS212+, RS212, RS812 11-series: DS111, DS211, DS211+, DS211j, DS411, DS411slim, DS411j, RS411 10-series: DS110j, DS210j, DS410j ]]>
</description>
<pubDate>Fri, 19 Feb 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5644_update_5</guid>
</item>
<item>
<title>Photo Station 6.3-2963</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2963</link>
<description>
<![CDATA[ Description Photo Station version 6.3-2963 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks to access user's private data (e.g. stealing session token). Resolution To fix the security issue, please go to DSM > Package Center, and install the latest version 6.3-2963 of Photo Station package to protect your Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, and install the latest version 6.0-2639 of Photo Station package to protect your Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]>
</description>
<pubDate>Fri, 29 Jan 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2963</guid>
</item>
<item>
<title>Video Station 1.5-0775</title>
<link>https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0775</link>
<description>
<![CDATA[ Description Video Station version 1.5-0775 includes security fixes to address the security vulnerabilities (CVE-2016-1897 and CVE-2016-1898). Resolution To fix the security issues, please go to DSM > Package Center, and install the latest version 1.5-0775 of Video Station package to protect Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, and install the latest version 1.6-0850 of Video Station package to protect Synology NAS from malicious attacks: DS216play, DS716+. ]]>
</description>
<pubDate>Mon, 25 Jan 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0775</guid>
</item>
<item>
<title>Audio Station 5.4-2860</title>
<link>https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2860</link>
<description>
<![CDATA[ Description Audio Station version 5.4-2860 includes security fixes to address the security vulnerabilities (CVE-2016-1897 and CVE-2016-1898). Resolution To fix the security issues, please go to DSM > Package Center, and install the latest version 5.4-2860 of Audio Station package to protect Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Mon, 25 Jan 2016 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2860</guid>
</item>
<item>
<title>Photo Station 6.3-2962</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2962</link>
<description>
<![CDATA[ Description Photo Station version 6.3-2962 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks to obtain user’s private data. (CVE-2015-9102) Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 6.3-2962 of Photo Station package to protect Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.0-2638 of Photo Station package to protect Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]>
</description>
<pubDate>Mon, 14 Dec 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2962</guid>
</item>
<item>
<title>Note Station 1.1-0214</title>
<link>https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_0214</link>
<description>
<![CDATA[ Description Note Station version 1.1-0214 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks to obtain user’s private data. (CVE-2015-9103) Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 1.1-0214 of Note Station package to protect Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Mon, 14 Dec 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_0214</guid>
</item>
<item>
<title>Video Station 1.5-0772</title>
<link>https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0772</link>
<description>
<![CDATA[ Description Video Station version 1.5-0772 includes the security fixes to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks to obtain user’s private data. (CVE-2015-9105) Resolution To fix the security issues, please go to DSM > Package Center, and install the latest version 1.5-0772 of Video Station package to protect Synology NAS from malicious attacks. Note For the following models, please go to DSM > Package Center, and install the latest version 1.6-0847 of Video Station package to protect Synology NAS from malicious attacks: DS216play, DS716+. For the following models, please go to DSM > Package Center, and install the latest version 1.2-0455 of Video Station package to protect Synology NAS from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]>
</description>
<pubDate>Fri, 11 Dec 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Video_station_1_5_0772</guid>
</item>
<item>
<title>Audio Station 5.4-2857</title>
<link>https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2857</link>
<description>
<![CDATA[ Description Audio Station version 5.4-2857 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks to obtain user’s private data. (CVE-2015-9104) Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 5.4-2857 of Audio Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 5.1-2550 of Audio Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]>
</description>
<pubDate>Fri, 04 Dec 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2857</guid>
</item>
<item>
<title>Magento 1.9.2.2-0033</title>
<link>https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_2_0033</link>
<description>
<![CDATA[ Description The update of Magento 1.9.2.2-0033 addresses multiple security vulnerabilities (SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, and SUPEE-6788). Reference: http://merch.docs.magento.com/ce/user_guide/magento/release-notes-ce-1.9.2.2.html Resolution To fix these security issues, please go to DSM > Package Center and install Magento 1.9.2.2-0033 or above to protect Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Thu, 12 Nov 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_2_0033</guid>
</item>
<item>
<title>Photo Station 6.3-2958</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2958</link>
<description>
<![CDATA[ Description Photo Station 6.3-2958 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute command injection attacks and perform arbitrary actions such as accessing data or stealing session tokens. Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 6.3-2958 of Photo Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 06 Oct 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2958</guid>
</item>
<item>
<title>Audio Station 5.4-2855</title>
<link>https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2855</link>
<description>
<![CDATA[ Description Audio Station 5.4-2855 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute command injection attacks, which might cause damage. Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 5.4-2855 of Audio Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 06 Oct 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Audio_Station_5_4_2855</guid>
</item>
<item>
<title>Video Station 1.5-0763</title>
<link>https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0763</link>
<description>
<![CDATA[ Description Video Station version 1.5-0763 includes the security fix to address the following security vulnerabilities: One vulnerability that allows an attacker to execute SQL injection attacks, which might exploit the database. One vulnerability that allows an attacker to execute command injection attacks, which might cause damage. Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 1.5-0763 of Video Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 11 Sep 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0763</guid>
</item>
<item>
<title>Note Station 1.1-211</title>
<link>https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_211</link>
<description>
<![CDATA[ Description Note Station version 1.1-211 includes the security fix for malicious attacks to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks and perform arbitrary actions such as stealing session tokens or redirecting to potentially malicious websites. Resolution To fix the security issue, please go to DSM > Package Center, install the latest version 1.1-211 of Note Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 11 Sep 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Note_Station_1_1_211</guid>
</item>
<item>
<title>Download Station 3.5-2967</title>
<link>https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2967</link>
<description>
<![CDATA[ Description Download Station version 3.5-2967 includes the security fix for malicious attacks to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks and perform arbitrary actions such as stealing session tokens or redirecting to potentially malicious websites. Resolution To fix the security issue, please go to DSM > Package Center, install the latest version 3.5-2967 of Download Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 11 Sep 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2967</guid>
</item>
<item>
<title>DSM 5.2-5592 Update 4</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592_update_4</link>
<description>
<![CDATA[ Description DSM 5.2 5592 Update 4 includes the following security fixes to address related security vulnerabilities: Upgraded Apache HTTP Server to 2.2.31 to address one security vulnerability (CVE-2015-3183). Upgraded PHP to 5.5.28 to address two security vulnerabilities (CVE-2015-5589 and CVE-2015-5590). Fixed two security vulnerabilities to prevent cross-site scripting (XSS) attacks. Fixed a security vulnerability of PCRE library (ASA-201508-11). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 4 or above to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Mon, 07 Sep 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592_update_4</guid>
</item>
<item>
<title>Important Information: /usr/syno/bin/zip was wrongly quarantined by Antivirus Essential </title>
<link>https://www.synology.cn/zh-cn/support/security/Antivirus_Essential_08_28</link>
<description>
<![CDATA[ Description For DSM users who have installed Antivirus Essential, Security Advisor might have notified you with messages similar to “ DSM system files have been unintentionally modified. Following file(s) have been modified: /usr/syno/bin/zip. Please contact Synology for further assistance.”, please be advised that this is confirmed as a false alarm. The /usr/syno/bin/zip was quarantined by Antivirus Essential and caused a warning in Security Advisor ("file is modified"). We have reported the false-positive file to ClamAV (the antivirus engine of Antivirus Essential), and the future virus definitions will not report such infection. If you have received a false alarm notification, please refer to the Resolution section to solve this problem. Resolution To fix this issue, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 4 and above. If the problem remains unresolved, please visit https://www.synology.com/support/support_form.php for further assistance. ]]>
</description>
<pubDate>Fri, 28 Aug 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Antivirus_Essential_08_28</guid>
</item>
<item>
<title>WordPress 4.2.4-039</title>
<link>https://www.synology.cn/zh-cn/support/security/WordPress_4_2_4_039</link>
<description>
<![CDATA[ Description The update of WordPress 4.2.4-039 addresses multiple security vulnerabilities (CVE-2015-5622, CVE-2015-5623, CVE-2015-2213, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, and CVE-2015-5734). Reference: https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ https://wordpress.org/news/2015/05/wordpress-4-2-2/ Resolution To fix these security issues, please go to DSM > Package Center and install WordPress 4.2.4-039 or above to protect Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Thu, 20 Aug 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/WordPress_4_2_4_039</guid>
</item>
<item>
<title>Magento 1.9.2.0-0029</title>
<link>https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_0_0029</link>
<description>
<![CDATA[ Description The update of Magento 1.9.2.0-0029 addresses multiple security vulnerabilities (SUPEE-5344, SUPEE-5994, SUPEE-6285). Reference: http://merch.docs.magento.com/ce/user_guide/Magento_Community_Edition_User_Guide.html#magento/release-notes-ce-1.9.2.html Resolution To fix these security issues, please go to DSM > Package Center and install Magento 1.9.2.0-0029 or above to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 16 Jul 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Magento_1_9_2_0_0029</guid>
</item>
<item>
<title>Asterisk 13.1.0-0063</title>
<link>https://www.synology.cn/zh-cn/support/security/Asterisk_13_1_0_0063</link>
<description>
<![CDATA[ Description The update of Asterisk 13.1.0-0063 includes the security fixes to address the following security vulnerabilities: A security vulnerability that could allow remote attackers to perform cross-site scripting (XSS) attacks A security vulnerability that could allow remote attackers to perform remote code execution attacks Resolution To fix these security issues, please go to DSM > Package Center and install Asterisk 13.1.0-0063 or above to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 16 Jul 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Asterisk_13_1_0_0063</guid>
</item>
<item>
<title>Important Information about OpenSSL Alternative Chains Certificate Forgery Vulnerability: CVE-2015-1793</title>
<link>https://www.synology.cn/zh-cn/support/security/OpenSSL_2015_1793</link>
<description>
<![CDATA[ Description A vulnerability in OpenSSL has been discovered which occurs when the client attempts to find an alternative certificate chain if the first attempt to build such a chain fails. A through investigation shows that DSM itself is not vulnerable to this security flaw when acting as a service server for client authentication. Few services could be impacted, and only with relatively limited sensitivity of the information transferred, and we are working on the updates to be released shortly. From our investigation, the risk is considered to be medium. Synology is unaware of any cases at this time. Update availability To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 Update 1 or above to protect your DiskStation from malicious attacks. ]]>
</description>
<pubDate>Mon, 13 Jul 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/OpenSSL_2015_1793</guid>
</item>
<item>
<title>Download Station 3.5-2963</title>
<link>https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2963</link>
<description>
<![CDATA[ Description Download Station 3.5-2963 includes the security fix to address the following security vulnerability: The vulnerability that allows an attacker to recover the private key when using Rabin-Williams signatures, which might leak the private information of users.(CVE-2015-2141) Resolution To fix the security issue, please go to DSM > Package Center, install the latest version 3.5-2963 of Download Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 3.5-2490 of Download Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, and RS409(RP)+. ]]>
</description>
<pubDate>Mon, 06 Jul 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2963</guid>
</item>
<item>
<title>Photo Station 6.3-2953</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2953</link>
<description>
<![CDATA[ Description Photo Station version 6.3-2953 includes the security fixes to address the following security vulnerabilities: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks to obtain user’s private data (e.g. stealing session token). The other vulnerability that could compromise user’s information because HTTP connections might not be redirected correctly to HTTPS connections in Photo Station blog. Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 6.3-2953 of Photo Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.0-2636 of Photo Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+. ]]>
</description>
<pubDate>Wed, 01 Jul 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_6_3_2953</guid>
</item>
<item>
<title>DSM 5.2-5592</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592</link>
<description>
<![CDATA[ Description DSM 5.2-5592 includes the following security fixes of multiple critical updates since DSM 5.2-5565 and also explicitly addresses related security vulnerabilities: Upgraded OpenSSL to 1.0.1o to address multiple security vulnerabilities (CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, and CVE-2015-1792). Upgraded PHP to 5.526 to address multiple security vulnerabilities (CVE-2015-3414, CVE-2015-3415, CVE-2015-3416, CVE-2015-2325, CVE-2015-2326, and CVE-2015-4598). Fixed a security vulnerability to prevent cross-site scripting (XSS) attacks. Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5592 or above to protect your Synology NAS from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Wed, 01 Jul 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5592</guid>
</item>
<item>
<title>Video Station 1.5-0757</title>
<link>https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0757</link>
<description>
<![CDATA[ Description Video Station version 1.5-0757 includes the security fix to address the following security vulnerability: One vulnerability that allows an attacker to execute SQL injection attacks, which might exploit the database. Resolution To fix the security issue, please go to DSM > Package Center, install the latest version 1.5-0757 of Video Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Video_Station_1_5_0757</guid>
</item>
<item>
<title>PACS 2.18.0-0010</title>
<link>https://www.synology.cn/zh-cn/support/security/PACS_2_18_0_0010</link>
<description>
<![CDATA[ Description The update of PACS 2.18.0-0010 addresses one security vulnerability on JBOSS (CVE-2010-0738). Reference: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0738 Resolution To fix this security issue, please to go to DSM > Package Center and install PACS 2.18.0-0010 to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/PACS_2_18_0_0010</guid>
</item>
<item>
<title>Moodle 2.91-0036</title>
<link>https://www.synology.cn/zh-cn/support/security/Moodle_2_91_0036</link>
<description>
<![CDATA[ Description The update of Moodle 2.91-0036 addresses multiple security vulnerabilities (CVE-2015-3174, CVE-2015-3175, CVE-2015-3176, CVE-2015-3177, CVE-2015-3178, CVE-2015-3179, CVE-2015-3180, and CVE-2015-3181). Reference: https://docs.moodle.org/dev/Moodle_2.9.1_release_notes Resolution To fix this security issue, please to go to DSM > Package Center and install Moodle 2.91-0036 to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Moodle_2_91_0036</guid>
</item>
<item>
<title>MariaDB 5.5.43-0033</title>
<link>https://www.synology.cn/zh-cn/support/security/MariaDB_5_5_43_0033</link>
<description>
<![CDATA[ Description The update of MariaDB 5.5.43 addresses multiple security vulnerabilities (CVE-2015-0501, CVE-2015-2571, CVE-2015-0505, and CVE-2015-0499). Reference: https://mariadb.com/kb/en/mariadb/mariadb-5543-release-notes/ Resolution To fix this security issue, please go to DSM > Package Center and install MariaDB 5.5.43-0033 to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/MariaDB_5_5_43_0033</guid>
</item>
<item>
<title>Drupal 7.38-0037</title>
<link>https://www.synology.cn/zh-cn/support/security/Drupal_7_38_0037</link>
<description>
<![CDATA[ Description The update of Drupal 7.38-0037 address multiple security vulnerabilities (CVE-2015-3231, CVE-2015-3232, CVE-2015-3233, and CVE-2015-3234). Reference: https://www.drupal.org/SA-CORE-2015-002 Resolution To fix this security issue, please to go to DSM > Package Center and install Drupal 7.38-0037 to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Drupal_7_38_0037</guid>
</item>
<item>
<title>Download Station 3.5-2962</title>
<link>https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2962</link>
<description>
<![CDATA[ Description Download Station version 3.5-2962 includes the security fix for malicious attacks to address the following security vulnerability: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks using torrent files and perform arbitrary actions such as stealing session tokens or redirecting to potentially malicious websites. Resolution To fix the security issue, please go to DSM > Package Center, install the latest version 3.5-2962 of Download Station package to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Download_Station_3_5_2962</guid>
</item>
<item>
<title>DSM 5.2-5565 Update 2</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_2</link>
<description>
<![CDATA[ Description DSM 5.2 5565 Update 2 includes the following security fix to address related security vulnerabilities: Fixed multiple kernel vulnerabilities (CVE-2014-3122, CVE-2014-3153, CVE-2014-0196, and CVE-2014-4699). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5565 Update 2 or above to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Tue, 09 Jun 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_2</guid>
</item>
<item>
<title>Photo Station 3.5-2945</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_3_5_2945</link>
<description>
<![CDATA[ Description Photo Station version 6.3-2945 includes the security fixes of malicious attacks to address the following security vulnerabilities: One vulnerability that allows an attacker to execute cross-site scripting (XSS) attacks and perform arbitrary actions such as stealing session tokens or redirecting to potential malicious websites The other vulnerability that allows someone who has the privilege of managing any arbitrary album to compromise photos in other albums that he/she has no permission to access through command injection attacks Resolution To fix the security issues, please go to DSM > Package Center, install the latest version 6.3-2945 of Photo Station package to protect DiskStation from malicious attacks. Note For the following models, please go to DSM > Package Center, install the latest version 6.0-2635 of Photo Station package to protect DiskStation from malicious attacks: DS109, DS209, DS409, DS409slim, DS109+, DS209+, DS209+II, DS409+, DS509+, RS409(RP)+ . ]]>
</description>
<pubDate>Fri, 29 May 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_3_5_2945</guid>
</item>
<item>
<title>DSM 5.2-5565 Update 1</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_1</link>
<description>
<![CDATA[ Description DSM 5.2 5565 Update 1 includes the following security fixes to address related security vulnerabilities: Upgraded PHP to 5.5.25 to address multiple security vulnerabilities (CVE-2006-7243, CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, and CVE-2015-4026). Fixed a security vulnerability to prevent cross-site scripting attacks (XSS). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update and install DSM 5.2-5565 Update 1 or above to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Thu, 21 May 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_2_5565_update_1</guid>
</item>
<item>
<title>Important Information about Vulnerability CVE-2015-0240</title>
<link>https://www.synology.cn/zh-cn/support/security/SAMBA</link>
<description>
<![CDATA[ Description A vulnerability has been discovered for SAMBA, an open source implementation of the CIFS network file sharing protocol. It is a memory management flaw in the CIFS file services which could result in a exploit by sending specially-crafted packets. Synology is unaware of any cases at this time. First-step solution This exploit has already been mitigated since CIFS is commonly used in local area networks, which eliminates security threats from the Internet. For precaution only, set up firewall to block CIFS ports (137-139, 445) from the Internet. Creating firewall rules at Control Panel > Security > Firewall helps prevent unauthorized login and control service access. Update availability This vulnerability has been addressed in the release of DSM 5.1-5022 Update 3 for x10, x11, x12, x13, x14, and x15 series. Update for DSM 4.2 for x09 series will be released by the end of March. x08 (and older) series are not affected by this vulnerability. ]]>
</description>
<pubDate>Thu, 26 Feb 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/SAMBA</guid>
</item>
<item>
<title>Important Information about GLIBC Vulnerability “GHOST” (CVE-2015-0235)</title>
<link>https://www.synology.cn/zh-cn/support/security/ghost</link>
<description>
<![CDATA[ Description A vulnerability of a widely used Linux library, GLIBC, has been discovered. This vulnerability allows remote attackers to execute arbitrary code. An initial investigation by Synology shows that the impact to DSM is minimal. Details GHOST is a vulnerability that affects the popular function-calls which are commonly used for DNS resolving. The initial investigation shows that these functions are implemented in several DSM projects. However, because of DSM’s design, the impact of this vulnerability is minimal. We are working on updates for the affected projects. Update availability To fix this security issue, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest update to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Fri, 30 Jan 2015 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/ghost</guid>
</item>
<item>
<title>DSM 5.1-5021</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_1_5021</link>
<description>
<![CDATA[ Description DSM 5.1-5021 includes the security fixes of multiple critical updates since DSM 5.1-5004 and also explicitly addresses the following security vulnerabilities: One vulnerability that allows local users to initiate a denial of service by queuing the maximum number of file descriptors (CVE-2014-7824). Multiple vulnerabilities that allow remote attackers to cause a denial of service (out-of-bound read, heap memory corruption, or application crash) or possibly execute arbitrary code (PHP: CVE-2014-3669, CVE-2014-3670, CVE-2014-3668, and CVE-2014-3710). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Tue, 16 Dec 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_1_5021</guid>
</item>
<item>
<title>VPN Server 1.2-2427</title>
<link>https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2427</link>
<description>
<![CDATA[ Description In VPN Server 1.2-2427, OpenVPN was updated to version 2.3.6 to address a vulnerability that allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet (CVE-2014-8104). Resolution To fix this security issue, please to go to DSM > Package Center and install the latest VPN Server update to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Fri, 12 Dec 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2427</guid>
</item>
<item>
<title>Important Information about POODLE Vulnerability (CVE-2014-3566)</title>
<link>https://www.synology.cn/zh-cn/support/security/POODLE_Vulnerability</link>
<description>
<![CDATA[ Description A vulnerability in version 3 of the SSL encryption protocol (SSL 3.0) was disclosed. This vulnerability, commonly referred to as POODLE, allows an attacker to decipher the plain text content of an SSL 3.0 encrypted message using a man-in-the-middle attack. POODLE is a vulnerability affecting all servers and browsers worldwide using the SSL 3.0 protocol, including DSM. Due to the nature of the exploit (which requires a deliberate man-in-the-middle attack), the severity of this vulnerability is not considered critical. Synology is unaware of any cases at this time. First-step solution Since encryption is negotiated between clients and servers, POODLE is a vulnerability that involves both parties. It is suggested to update any clients that use the SSL protocol, such as browsers and email clients. Most browsers automatically attempt to connect via SSL 3.0 when the servers do not support advanced TLS protocol. For an official statement on how to disable SSL 3.0 on commonly used browsers, please consult the reference links below: Apple Safari: http://support.apple.com/kb/HT1222 Microsoft Internet Explorer: https://technet.microsoft.com/library/security/3009008.aspx SSL 3.0 has been disabled in the release of Firefox 34. Reference: https://www.mozilla.org/en-US/mobile/34.0/releasenotes/ Google Chrome: SSL 3.0 has been removed in Chrome 39. Reference: https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4 Update availability The fix has been implemented in DSM 5.1. Updates are also available on DSM 5.0 4627-02 for EDS14 and DSM 5.0 4528-02 for all other DSM 5.0 compatible models. To apply the fix for this vulnerability, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Tue, 28 Oct 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/POODLE_Vulnerability</guid>
</item>
<item>
<title>DSM 5.0-4627</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4627</link>
<description>
<![CDATA[ Description DSM 5.0-4627 includes the security fixes of multiple critical updates since DSM 5.0-4662 and also explicitly addresses the following security vulnerabilities: A vulnerability that could allow servers to accept unauthorized access requests. Multiple vulnerabilities that allows remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139). A vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508). A vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS versions (OpenSSL: CVE-2014-3511). Two cURL-related vulnerabilities that could cause IP leaks (CVE-2014-3613 and CVE-2014-3620). Multiple vulnerabilities that could allow remote attackers to cause denial of service attacks resulting in CPU consumption, application crash, or NULL pointer dereference (CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120, and CVE-2014-3597). A vulnerability that could allow remote attackers to overwrite arbitrary files (CVE-2014-5120). A vulnerability that could allow remote attackers to cause a denial of service resulting in application crash or possibly execute arbitrary code (CVE-2014-3597). A vulnerability that allows remote attackers to extract ElGamal private key information (libgcrypt: CVE-2014-5270). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Wed, 22 Oct 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4627</guid>
</item>
<item>
<title>DSM 5.0-4528</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4528</link>
<description>
<![CDATA[ Description DSM 5.0-4528 includes the security fixes of multiple critical updates since DSM 5.0-4458 and also explicitly addresses the following security vulnerabilities: Two Linux kernel vulnerabilities that could allow local users to cause a denial of service resulting in uncontrolled recursion or unkillable mount process (CVE-2014-5471 and CVE-2014-5472). One Linux kernel vulnerability that could allow local users to cause a denial of service or possibly gain privileges via a crafted application that triggers a zero count (CVE-2014-0205). One Linux kernel vulnerability that could allow man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate (CVE-2014-6657). One SNMP vulnerability where the improper validation of input could allow remote attackers to cause a denial of service (CVE-2014-2284). Minor fixes related to the ShellShock Bash vulnerabilities previously addressed in DSM 4493-05 updates (Bash 4.2-51, 4.2-52, and 4.2-53). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. Completing this update will automatically restart your system. ]]>
</description>
<pubDate>Wed, 22 Oct 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4528</guid>
</item>
<item>
<title>Important Information about Bash Vulnerability "ShellShock" (CVE-2014-6271 and CVE-2014-7169)</title>
<link>https://www.synology.cn/zh-cn/support/security/bash_shellshock</link>
<description>
<![CDATA[ Description A vulnerability of a commonly used UNIX command shell, Bash, has been discovered, allowing unauthorized users to remotely gain control of vulnerable UNIX-like systems. A thorough investigation by Synology shows the majority of Synology NAS servers will not be affected. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The DSM built-in Bash command shell is reserved for system service use only (HA Manager) and not available to public users. Affected Models Synology has released critical updates to address this vulnerability. The applied models vary on different versions of DSM due to differences in implementation. We have confirmed that models which are not listed below are unaffected by this Bash vulnerability. DSM 5.1 4977-1 14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+, RS3614xs, RS3614RPxs 13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+ 12-series: DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+ 11-series: DS3611xs, RS3411xs, RS3411RPxs DSM 5.0 4519-1 15-series: DS415+ DSM 5.0 4493-7 14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+, RS3614xs, RS3614RPxs 13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+ 12-series: DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+ 11-series: DS3611xs, RS3411xs, RS3411RPxs DSM 4.3 3827-8 14-series: RS3614xs+, RS2414+, RS2414RP+, RS814+, RS814RP+ 13-series: DS2413+, DS713+, RS10613xs+, RS3413xs+, DS1813+, DS1513+ 12-series: DS712+, DS1512+, DS1812+, DS3612xs, RS3412xs, RS3412RPxs, DS412+, RS812+, RS812RP+, RS2212+, RS2212RP+ 11-series: DS3611xs, RS3411xs, RS3411RPxs, DS2411+, RS2211+, RS2211RP+, DS1511+, DS411+II, DS411+ 10-series: DS1010+, RS810+, RS810RP+, DS710+ Resolution If your Synology NAS server is one of the above models and an update is available, please go to DSM > Control Panel > Update & Restore> DSM Update (DSM > Control Panel > DSM Update if your Synology NAS is running DSM 4.3) and install the latest updates to protect your NAS from malicious attacks. ]]>
</description>
<pubDate>Fri, 26 Sep 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/bash_shellshock</guid>
</item>
<item>
<title>DSM 5.0-4493 Update 5</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_5</link>
<description>
<![CDATA[ Description The update of DSM 5.0-4493 Update 5 addresses the following security vulnerability: a vulnerability that could allow servers to accept unauthorized access. Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 09 Sep 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_5</guid>
</item>
<item>
<title>DSM 4.3-3827 Update 7</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_7</link>
<description>
<![CDATA[ Description The update of DSM 4.3-3827 Update 7 addresses the following security vulnerability: a vulnerability that could allow servers to accept unauthorized access. Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 09 Sep 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_7</guid>
</item>
<item>
<title>DSM 4.2-3252</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3252</link>
<description>
<![CDATA[ Description The update of DSM 4.2-3252 addresses the following security vulnerability: a vulnerability that could allow servers to accept unauthorized access. Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 09 Sep 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3252</guid>
</item>
<item>
<title>DSM 4.0-2265</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2265</link>
<description>
<![CDATA[ Description The update of DSM 4.0-2265 addresses the following security vulnerability: a vulnerability that could allow servers to accept unauthorized access. Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 09 Sep 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2265</guid>
</item>
<item>
<title>DSM 3.1-1639</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_3_1_1639</link>
<description>
<![CDATA[ Description The update of DSM 3.1-1639 addresses the following security vulnerabilities: a vulnerability that could allow servers to accept unauthorized access. multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139). a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508). a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even both server and client support higher TLS version (OpenSSL: CVE-2014-3511). Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 09 Sep 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_3_1_1639</guid>
</item>
<item>
<title>DSM 4.0-2264</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2264</link>
<description>
<![CDATA[ Description This update forf DSM 4.0-2264 addresses the following security vulnerabilities regarding OpenSSL and PHP 5.3: multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139). a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508). a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511). a vulnerability that allows remote attackers to exploit a weakness to perform a man-in-the-middle attack in certain OpenSSL-to-OpenSSL communications and obtain sensitive information (OpenSSL: CVE-2014-0224). a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service via a long non-initial fragment (OpenSSL: CVE-2014-0195). multiple vulnerabilities that allow remote attackers to perform various kinds of denial of service attacks (OpenSSL: CVE-2014-0221, CVE-2014-0198, CVE-2010-5298,CVE-2014-3470). a vulnerability that allows remote attackers to obtain ECDSA nonces that could result a side-channel attack (OpenSSL: CVE-2014-0076). multiple vulnerabilities that allows remote attackers to use the exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049). a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981). a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515). Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Wed, 27 Aug 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2264</guid>
</item>
<item>
<title>DSM 5.0-4493 Update 4</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_4</link>
<description>
<![CDATA[ Description DSM 5.0-4493 Update 4 addresses the following security vulnerabilities regarding OpenSSL and Kerberos 5: multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139). a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508). a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511). a vulnerability that allows remote authenticated administrators to exploit creating a request via KRB5_KDB_DISALLOW_ALL_TIX that lacks a password to cause a denial of service (Kerberos 5: CVE-2012-1013). multiple vulnerabilities that allow remote attackers to use multiple exploits to cause denial of service attacks resulting in buffer over-read, NULL pointer dereference, or application crash (Kerberos 5: CVE-2014-4341, CVE-2014-4344 and CVE-2014-4342). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Tue, 26 Aug 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_4</guid>
</item>
<item>
<title>DSM 4.3-3827 Update 6</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_6</link>
<description>
<![CDATA[ Description DSM 4.3-3827 Update 6 addresses the following security vulnerabilities regarding OpenSSL, Kerberos 5, and PHP 5.3: a vulnerability that allows remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139). multiple vulnerabilities that allow context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508). a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511). a vulnerability that allows remote authenticated administrators to exploit creating a request via KRB5_KDB_DISALLOW_ALL_TIX that lacks a password to cause a denial of service (Kerberos 5: CVE-2012-1013). multiple vulnerabilities that allow remote attackers to use multiple exploits to cause denial of service attacks resulting in buffer over-read, NULL pointer dereference, or application crash (Kerberos 5: CVE-2014-4341, CVE-2014-4344 and CVE-2014-4342). multiple vulnerabilities that allow remote attackers to use multiple exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049). a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981). a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515). Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Tue, 26 Aug 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_6</guid>
</item>
<item>
<title>DSM 4.2-3251</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3251</link>
<description>
<![CDATA[ Description This update for DSM 4.2-3251 addresses the following security vulnerabilities regarding OpenSSL, Kerberos 5, and PHP 5.3: multiple vulnerabilities that allow remote attackers to use multiple weaknesses to perform denial of service attacks to cause application crash or CPU consumption (OpenSSL: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3509, CVE-2014-3510, CVE-2014-3512, and CVE-2014-5139). a vulnerability that allows context-dependent attackers to obtain sensitive information from process stack memory (OpenSSL: CVE-2014-3508). a vulnerability that allows man-in-the-middle attackers to cause a downgrade to TLS 1.0 even though both server and client support higher TLS version (OpenSSL: CVE-2014-3511). a vulnerability that allows remote authenticated administrator to exploit creating a request via KRB5_KDB_DISALLOW_ALL_TIX that lacks a password to cause a denial of service (Kerberos 5: CVE-2012-1013). multiple vulnerabilities that allow remote attackers to use the exploits to cause denial of service attacks resulting in buffer over-read, NULL pointer dereference, or application crash (Kerberos 5: CVE-2014-4341, CVE-2014-4344 and CVE-2014-4342). a vulnerability that allows remote attackers to use multiple exploits to cause denial of service attacks resulting in buffer over-read, application exit, infinite loop, or performance degradation (PHP 5.3: CVE-2013-6712, CVE-2014-0207, CVE-2014-0238, CVE-2014-0237 and CVE-2014-4049). a vulnerability that allows local users to overwrite arbitrary files via a symlink attack (PHP 5.3: CVE-2014-3981). a vulnerability that allows remote attackers to execute arbitrary code via a crafted string (PHP 5.3: CVE-2014-3515). Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page and install the latest updates to protect your Synology NAS from malicious attacks. ]]>
</description>
<pubDate>Tue, 26 Aug 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3251</guid>
</item>
<item>
<title>Important Information about Ransomware SynoLocker Threat</title>
<link>https://www.synology.cn/zh-cn/support/security/SynoLocker</link>
<description>
<![CDATA[ Description It is confirmed that Synology NAS servers running older versions of DiskStation Manager are being targeted by a ransomware known as “SynoLocker,” which exploits two vulnerabilities that were fixed in November and December, 2013, respectively. At that time, Synology released security updates and notified users to update via various channels. Common Symptoms Affected users may encounter one of the following symptoms:When attempting to log in to DSM, a screen appears informing users that their data has been encrypted and a fee is required to unlock data.Abnormally high CPU usage or a running process called “synosync” (which can be checked at Main Menu > Resource Monitor).DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update. Suggestion For users who have encountered the above symptoms, please shutdown the system immediately to avoid more files from being encrypted and contact our technical support to confirm whether the system is infected. Please note Synology is unable to decrypt files that have already been encrypted.If you happen to possess a backup copy of your files (or there are no critical files stored on your DiskStation), we recommend following the below steps to reset your DiskStation and re-install DSM. However, resetting the DiskStation removes the information required for decryption, so encrypted files cannot be decrypted afterward.Follow the steps in this tutorial to reset your DiskStation: http://www.synology.com/support/tutorials/493#t3The latest version of DSM can be downloaded from our Download Center here: http://www.synology.com/downloadOnce DSM has been re-installed, log in and restore your backup data. For other users who have not encountered the above symptoms, Synology strongly recommend downloading and installing DSM 5.0, or any version below:DSM 4.3-3827 or laterDSM 4.2-3243 or laterDSM 4.0-2259 or laterDSM 3.x or earlier is not affectedUsers can manually download the latest version from our Download Center and install it at Control Panel > DSM Update > Manual DSM Update. ]]>
</description>
<pubDate>Thu, 07 Aug 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/SynoLocker</guid>
</item>
<item>
<title>DSM 5.0-4493 Update 3</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_3</link>
<description>
<![CDATA[ Description The update of DSM 5.0-4493 Update 3 addresses the following security vulnerabilities regarding SAMBA:allows remote attackers to use the weakness to perform DoS attacks (causes infinite loop and CPU consumption) via a malformed UDP packet (CVE-2014-0244).allows remote authenticated users to use the weakness of attempting to read Unicode pathname without specifying use of Unicode, in consequence to cause a denial of service (CVE-2014-3493). Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 24 Jul 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_3</guid>
</item>
<item>
<title>DSM 4.2-3250</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3250</link>
<description>
<![CDATA[ Description The upgrade of OpenSSL in DSM 4.2-3250 addresses the following security vulnerabilities:a vulnerability that allows remote attackers to exploit a weakness to perform a man-in-the-middle attack in certain OpenSSL-to-OpenSSL communications and obtain sensitive information. (CVE-2014-0224)a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service via a long non-initial fragment. (CVE-2014-0195)several vulnerabilities that allow remote attackers to perform various kinds of DoS attacks. (CVE-2014-0221, CVE-2014-0198, CVE-2010-5298,CVE-2014-3470) Resolution To fix the security issue, please to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Wed, 16 Jul 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3250</guid>
</item>
<item>
<title>DSM 4.3-3827 Update 4</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_4</link>
<description>
<![CDATA[ Description The upgrade of OpenSSL in DSM 4.3-3827 Update 4 addresses the following security vulnerabilities: a vulnerability that allows remote attackers to exploit a weakness to perform a man-in-the-middle attack in certain OpenSSL-to-OpenSSL communications and obtain sensitive information. (CVE-2014-0224) a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service via a long non-initial fragment. (CVE-2014-0195) several vulnerabilities that allow remote attackers to perform various kinds of DoS attacks. (CVE-2014-0221, CVE-2014-0198, CVE-2010-5298,CVE-2014-3470) Resolution To fix the security issues, please go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Wed, 25 Jun 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_4</guid>
</item>
<item>
<title>DSM 5.0-4493 Update 1</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_1</link>
<description>
<![CDATA[ Description The upgrade of OpenSSL in DSM 5.0-4493 Update 1 addresses the following security vulnerabilities: a vulnerability that allows remote attackers to exploit a weakness to perform a man-in-the-middle attack in certain OpenSSL-to-OpenSSL communications and obtain sensitive information. (CVE-2014-0224) a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service via a long non-initial fragment. (CVE-2014-0195) several vulnerabilities that allow remote attackers to perform various kinds of DoS attacks. (CVE-2014-0221, CVE-2014-0198, CVE-2010-5298,CVE-2014-3470) Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore> DSM Update and install the latest updates to protect your DiskStation from malicious attacks. ]]>
</description>
<pubDate>Wed, 11 Jun 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493_update_1</guid>
</item>
<item>
<title>DSM 5.0-4493</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493</link>
<description>
<![CDATA[ Description DSM 5.0-4493 addresses vulnerabilities below: A security issue in the system kernel that allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. (CVE-2014-0196). A PHP security issue that allows remote attackers to cause denial of service attacks to degrade the performance of target servers. (CVE-2014-0237) An OpenSSL security issue that allows remote attackers to inject data across sessions or cause a denial of service attack via SSL connection in a multi-threaded environment. (CVE-2010-5298) Resolution To fix the security issues, please go to DSM > Control Panel > Update & Restore > DSM Update page and install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Wed, 04 Jun 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4493</guid>
</item>
<item>
<title>DSM 5.0-4482</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4482</link>
<description>
<![CDATA[ Description DSM 5.0-4482 addresses vulnerabilities below: Windows File Service to prevent remote attackers from obtaining access. (CVE-2013-4496) Several security issues related to cURL. (CVE-2014-0139, CVE-2014-0015, CVE-2013-6422)A security issue to allow cross-site scripting attacks (XSS). Resolution To fix the security issue, please to go to DSM > Control Panel > Update & Recovery > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 24 Apr 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4482</guid>
</item>
<item>
<title>DSM 4.3-3827 Update 2</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_2</link>
<description>
<![CDATA[ Description DSM 4.3-3827 Update 2 addresses vulnerability below:A critical security issue of OpenSSL known as Heartbleed which allows remote attackers to obtain sensitive information from process memory. (CVE-2014-0160) Read First The below resolution is not necessary if HTTPS, OpenVPN, and FTPS services were disabled on your DiskStation prior to installing DSM 4.3-3827 Update 2. Resolution To fix this security issue, please log in to DSM, go to Control Panel > DSM Update, click Update Settings and select Important Updates Only to see and install the update.After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > DSM Settings > Certificate to check whether you have a third-party or self-signed certificate.For self-signed SSL certificate renewal: To renew your certificate using DSM, please go to Control Panel > DSM Settings > Certificate, click Create Certificate > Create self-signed certificate.Follow the instructions to complete self-signed certificate process.For third-party SSL certificate renewal: To renew your certificate via third-party certificate authority (CA), please go to Control Panel > DSM Settings > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.Use the CSR to acquire a new certificate from your CA.Go to Control Panel > DSM Settings > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt).As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users ]]>
</description>
<pubDate>Mon, 21 Apr 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_2</guid>
</item>
<item>
<title>VPN Server 1.2-2414 & 1.2-2318</title>
<link>https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2414_1_2_2318</link>
<description>
<![CDATA[ Description Security_Advisory_VPN_Server_1_2_2414_1_2_2318_description_content Read First Security_Advisory_VPN_Server_1_2_2414_1_2_2318_Read_First_content Resolution Security_Advisory_VPN_Server_1_2_2414_1_2_2318_resolution_content ]]>
</description>
<pubDate>Fri, 18 Apr 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/VPN_Server_1_2_2414_1_2_2318</guid>
</item>
<item>
<title>DSM 4.2-3248</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3248</link>
<description>
<![CDATA[ Description DSM 4.2-3248 addresses vulnerability below:A critical security issue of OpenSSL known as Heartbleed which allows remote attackers to obtain sensitive information from process memory. (CVE-2014-0160) Read First The below resolution is only necessary if you enabled or used HTTPS, VPN, and FTPS services on your DiskStation prior to installing DSM 4.2-3248 Update 2. Resolution To fix this security issue, please to go to DSM > Control Panel > DSM Settings and install the latest update to protect your DiskStation from this vulnerability.After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > DSM Settings > Certificate to check whether you have a third-party or self-signed certificate.For self-signed SSL certificate renewal:To renew your certificate using DSM, please go to Control Panel > Security > Certificate, click Create Certificate > Create self-signed certificate.Follow the instructions to complete self-signed certificate process.For third-party SSL certificate renewal:To renew your certificate via third-party certificate authority (CA), please go to Control Panel > DSM Settings > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.Use the CSR to acquire a new certificate from your CA.Go to Control Panel > DSM Settings > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt). As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users. ]]>
</description>
<pubDate>Tue, 15 Apr 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3248</guid>
</item>
<item>
<title>DSM 5.0-4458 Update 2</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_2</link>
<description>
<![CDATA[ Description DSM 5.0-4458 Update 2 addresses vulnerability below:A critical security issue of OpenSSL known as Heartbleed which allows remote attackers to obtain sensitive information from process memory. (CVE-2014-0160) Read First The below resolution is only necessary if you enabled or used HTTPS, VPN, and FTPS services on your DiskStation prior to installing DSM 5.0-4458 Update 2. Resolution To fix this security issue, please to go to DSM > Control Panel > DSM Update and install the latest update to protect your DiskStation from this vulnerability.After updating DSM, we recommend renewing the SSL certificate since your SSL encryption keys might have been compromised. Go to Control Panel > Security > Certificate to check whether you have a third-party or self-signed certificate.For self-signed SSL certificate renewal:To renew your certificate using DSM, please go to Control Panel > Security > Certificate, click Create Certificate > Create self-signed certificate.Follow the instructions to complete self-signed certificate process.For third-party SSL certificate renewal:To renew your certificate via third-party certificate authority (CA), please go to Control Panel > Security > Certificate, click Create certificate > Renew certificate to create a certificate signing request (CSR) and a new private key. Download them to your computer.Use the CSR to acquire a new certificate from your CA.Go to Control Panel > Security > Certificate and click Import certificate to import the certificate from the CA (server.key, example.crt). As a precaution, you can change your DSM passwords, even if there is no evidence that your data was accessed using this vulnerability.A self-signed certificate refers to a certificate that was created and signed by the same entity whose identity it certifies (in this case, the Synology NAS). Self-signed certificates provide less proof of the identity of the server and are usually only used to secure channels between the server and a group of known users. ]]>
</description>
<pubDate>Thu, 10 Apr 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_2</guid>
</item>
<item>
<title>DSM 5.0-4458 update 1</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_1</link>
<description>
<![CDATA[ Description DSM 5.0-4558 Update 1 addresses vulnerabilities below:A security issue to allow cross-site scripting attacks (XSS). Resolution To fix the security issue, please to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 27 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_5_0_4458_update_1</guid>
</item>
<item>
<title>WordPress 3.81-018</title>
<link>https://www.synology.cn/zh-cn/support/security/WordPress_3_81_018</link>
<description>
<![CDATA[ Description WordPress 3.81-018 addresses vulnerabilities below:Disabled pingbacks option to prevent DDoS attacks. Resolution To fix the security issue, please to go to Package Center > Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Mon, 24 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/WordPress_3_81_018</guid>
</item>
<item>
<title>Photo Station-2632</title>
<link>https://www.synology.cn/zh-cn/support/security/Photo_Station_2632</link>
<description>
<![CDATA[ Description Photo Station 6.0-2362 addresses vulnerabilities below:A security issue allowing unauthorized access to all blog posts. Resolution To fix the security issue, please to go to DSM > Package Center, install the latest package updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 20 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/Photo_Station_2632</guid>
</item>
<item>
<title>DSM 4.2-3247</title>
<link>https://www.synology.cn/zh-cn/support/security/DSM_4_2_3247</link>
<description>
<![CDATA[ Description DSM 4.2-3247 addresses vulnerabilities below:A vulnerability related to OpenSSL (CVE-2013-4353).Two vulnerabilities in PHP to allow remote code execution, denial of service and man-in-the-middle attacks. (CVE-2013-4073, CVE-2013-6420).A vulnerability to allow malicious attacks via NTP service (CVE-2013-5211).Two security vulnerabilities of Windows File Services (SMB) to allow unauthorized access. (CVE-2013-4408, CVE-2012-6150) Resolution To fix the security issue, please to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 20 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/DSM_4_2_3247</guid>
</item>
<item>
<title>DSM 4.0-2263</title>
<link>https://www.synology.cn/zh-cn/support/security/DSM_4_0_2263</link>
<description>
<![CDATA[ Description DSM 4.0-2263 addresses vulnerabilities below:A vulnerability related to OpenSSL (CVE-2013-4353).Two vulnerabilities in PHP to allow remote code execution, denial of service and man-in-the-middle attacks. (CVE-2013-4073, CVE-2013-6420). Resolution To fix the security issue, please to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 20 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/DSM_4_0_2263</guid>
</item>
<item>
<title>DSM 4.3-3827 Update 1</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_1</link>
<description>
<![CDATA[ DSM 4.3-3827 Update 1 Description DSM 4.3-3827 Update 1 addresses vulnerabilities below:A vulnerability related to OpenSSL (CVE-2013-4353).Two vulnerabilities in PHP to allow remote code execution, denial of service and man-in-the-middle attacks. (CVE-2013-4073, CVE-2013-6420).A vulnerability to allow malicious attacks via NTP service (CVE-2013-5211). Resolution To fix the security issue, please to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 18 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827_update_1</guid>
</item>
<item>
<title>RADIUS Server 1.0-0028</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_RADIUS_Server_1_0_0028</link>
<description>
<![CDATA[ Description RADIUS Server 1.0-0028 addresses vulnerabilities below:A security issue allowing unauthorized access. Resolution To fix the security issue, please to go to DSM > Package Center, install the latest package updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Tue, 04 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_RADIUS_Server_1_0_0028</guid>
</item>
<item>
<title>VPN Server 1.2-2314</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_VPN_Server_1_2_2314</link>
<description>
<![CDATA[ Description VPN Server 1.2-2314 addresses vulnerabilities below:A security issue allowing unauthorized access. (VU#534284) Resolution To fix the security issue, please to go to DSM > Package Center, install the latest package updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Mon, 03 Mar 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_VPN_Server_1_2_2314</guid>
</item>
<item>
<title>DSM 4.3-3827</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827</link>
<description>
<![CDATA[ Description By installing DSM 4.3-3827, you can repair the DSM operating system and remove malware caused by two vulnerabilities below: A vulnerability to allow unauthorized access via File Station; fixed in DSM 4.3-3810 Update 1 and released in November 2013. (CVE-2013-6955) A vulnerability to allow unauthorized access via DSM from HTTP; fixed in DSM 4.3-3810 and released in December 2013. (CVE-2013-6987) Common Symptoms The followings are common symptoms to appear on affected DiskStation and RackStation:Exceptionally high CPU usage detected in Resource Monitor:CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their namesAppearance of non-Synology folder:An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”Redirection of the Web Station:“Index.php” is redirected to an unexpected pageAppearance of non-Synology CGI program:When you login to terminal via SSH or telnet, files with meaningless names exist under the path of “/usr/syno/synoman”Appearance of non-Synology script file:When you login to terminal via SSH or telnet, Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d” Resolution If you find any of above situation, please reinstall DSM 4.3-3827 by following the instruction here.For others who haven't encountered above symptoms, it is recommended to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. Resolution of Update FailureIf your DiskStation/RackStation shows either or all of the symptoms below, it’s probably infected by malwares:Power LED light blinks blueCannot log in DSM. Error message: "System is getting ready..."Synology Assistant shows "Starting Services..."Status LED light blinks orange and Synology Assistant shows “Migratable” statusPlease note, damaged motherboard can also cause blue LED blinking, you could confirm the main board status with the following guide: http://www.synology.com/en-global/support/faq/366You need to upgrade to DSM 4.3-3827 (or the latest version of DSM for your model) to patch this security vulnerability. If you’re unsure how to execute the steps, please contact Synology support for further assistance.https://account.synology.com/support/support_form.phpThere are three solutions to this issue:Note: If you have ever encountered a message prompting you about the data is to be deleted, please stop proceeding further and contact Synology Support.[Solution 1] Use a spare disk - the settings and volume will stay intactRemove all disks when power is off.Insert a spare disk to your DiskStation/RackStation, boot up and install DSM 4.3-3827(or the latest version of DSM for your model), then power off.Remove the spare disk, and insert the original disks back.Synology Assistant will show "Migratable". Please right click DiskStation in Assistant > Install. Install DSM 4.3 3827 (or the latest version of DSM for your model) on the original disks.[Solution 2] Reinstall DSM - some settings will be lost, but the volume will stay intactPlease follow the Sec. 3 of the tutorial below to reinstall DSM: http://www.synology.com/support/tutorials/493#t3 Please ensure you Install DSM 4.3 3827 (or the latest version of DSM for your model)[Solution 3] Boot up without disks and contact usPlease perform the following actions:Remove all disks and try to install DSM with Synology Assistant. The process will stop at a point where telnet port 23 is enabled.Insert all disks back to DiskStation/RackStation while the power is still on.Make sure port 23 of your DiskStation is accessible from Internet. (Port forwarding for port 23 must be set up properly.)Provide your Internet IP address or DDNS name.Once the DiskStation/RackStation boots up properly, please manually Install DSM 4.3 3827 (or the latest version of DSM for your model) ASAP.After installing the latest DSM with security fix through the three solutions above, please go to the shared folder "Homes" > "admin" to remove the file named ".profile " if any.Upgrading to DSM 4.3 3827 (or the latest version of DSM for your model) is required to fix this issue. DiskStation/RackStation can stay vulnerable if the upgrades are not done properly. ]]>
</description>
<pubDate>Fri, 14 Feb 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3827</guid>
</item>
<item>
<title>DSM 4.3-3810 Update 4</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3810_update_4</link>
<description>
<![CDATA[ Description DSM 4.3-3810 Update 4 addresses vulnerabilities below: Unauthorized access via Windows File Services (SMB) to prevent. (CVE-2013-4408, CVE-2012-6150) Resolution To fix the security issue, please to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 09 Jan 2014 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_3_3810_update_4</guid>
</item>
<item>
<title>DSM 4.2-3243</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3243</link>
<description>
<![CDATA[ Description After installing DSM 4.3-3243, the updating process will repair the system and remove malware caused by one vulnerability:A vulnerability to allow unauthorized access via DSM from HTTP. (CVE-2013-6987) Common Symptoms The followings are common symptoms to appear on affected DiskStation and RackStation:Exceptionally high CPU usage detected in Resource Monitor:CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their namesAppearance of non-Synology folder:An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”Redirection of the Web Station:“Index.php” is redirected to an unexpected pageAppearance of non-Synology CGI program:When you login to terminal via SSH or telnet, files with meaningless names exist under the path of “/usr/syno/synoman”Appearance of non-Synology script file:When you login to terminal via SSH or telnet, Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d” Resolution If you find any of above situation, please reinstall DSM 4.3-3243 or later versions by following the instruction here.For others who haven't encountered above symptoms, it is recommended to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 14 Nov 2013 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_2_3243</guid>
</item>
<item>
<title>DSM 4.0-2259</title>
<link>https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2259</link>
<description>
<![CDATA[ Description After installing DSM 4.0-2259, the updating process will repair the system and remove malware caused by the vulnerability:A vulnerability to allow unauthorized access via DSM from HTTP. (CVE-2013-6955) Common Symptoms The followings are common symptoms to appear on affected DiskStation and RackStation:Exceptionally high CPU usage detected in Resource Monitor:CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their namesAppearance of non-Synology folder:An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”Redirection of the Web Station:“Index.php” is redirected to an unexpected pageAppearance of non-Synology CGI program:When you login to terminal via SSH or telnet, files with meaningless names exist under the path of “/usr/syno/synoman”Appearance of non-Synology script file:When you login to terminal via SSH or telnet, Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d” Resolution If you find any of above situation, please reinstall DSM 4.0-2259 or later by following the instruction here.For others who haven't encountered above symptoms, it is recommended to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks. ]]>
</description>
<pubDate>Thu, 14 Nov 2013 00:00:00 +0800</pubDate>
<author>security@synology.com (Synology Security Team)</author>
<guid isPermaLink="true">https://www.synology.cn/zh-cn/support/security/hotfix_dsm_4_0_2259</guid>
</item>
</channel>
</rss>