Security Bulletin

I’m not a developer, just a spectating user, but here’s the relevant part of the .2 commit: https://github.com/home-assistant/core/compare/2021.1.1...2021.1.2#diff-fcd766ca652cf2b9cb54a1c6edf81083c1a3857870a87d33d84f37e2aa2f616e

There’s some new logic to log (and prevent?) “request[s] and block commonly known exploit attempts”

I imagine someone found a custom_component out there acting in bad faith. We should wait for their official update; so far the HA team has handled these well imo and I appreciate this warning going up while they investigate further.

5 Likes

Make a snapshot. Update. If it does, you can simply revert. This should be standard update procedure anyways.

1 Like

It may not be deliberate by the custom component. Just that input isn’t being sanitised and therefore exploitable.

Good point, thanks. Due to my line of work I typically jump to malicious actors, because I’ve seen it all!

That is my standard procedure but I’m currently away from home so reluctant to risk the update. On top of everything else HA waters my garden and it’s hot in Perth this week!

4 Likes

15 posts were split to a new topic: Managing secrets

i get that it’s not about HA. but you didn’t say how/what about 2021.1.2 addresses the issue.

3 Likes

To update Home Assistant, click on the Supervisor menu item

Do you mean Hass.io? I’m so confused. There’s a big issue with the naming of different parts of this project that needs to be resolved. The name “Home Assistant” is ambiguous. It can refer to the core project or to the entire distribution. The main web site is not perfectly clear about that too. A first-time visitor may think that they need a Raspberry Pi to use Home Assistant. In reality there are many different distributions that include different components and operate slightly differently. For example, I use a Home Assistant docker container on my NAS that doesn’t have a supervisor.

3 Likes

Hass.io” is not a term we use anymore. It was ambiguous by itself as well.

This is a new release of the Home Assistant Core application, which runs on all, no matter which installation method you use.

3 Likes

My Supervisor menu isn’t showing any available updates. Is there a way to force the check? I already followed directions to click the Reload on the System tab to no avail.

can use ssh addon.

ha core update --version  2021.1.2

It should be available though… I got a notification a few hours ago

1 Like

I don’t know what it is about my setup, but at times I don’t get notifications for a week or two. The only way I can reliably force the notification to appear is to reboot the host, which is a rather heavy-handed for my liking.

While “disable all your custom components” is prudent until the risk is analysed, “all custom components run at your own risk” does not work for me as a security posture.

Moving forward can we please get some clarity from the developers over exactly what reach into the home assistant environment, config files etc a custom component (not an add on) has and where it’s restricted?

Thank you

3 Likes

Are you saying you think a custom component shouldn’t be able to read configuration.yaml?

If so, how would you configure a custom component?

If you meant something else, my apologies.

3 Likes

Do you think it might be an idea to put the pitchforks down and wait for more information which is surely forthcoming?

27 Likes

This should also be posted on https://alerts.home-assistant.io/

Is this why Alexa sensors {timer, alarm, ect} are no longer available?

Doesn’t this functionality already exist? Add-ons for one have separate config files. Integrations can be configured in a separate yaml file. Name the file integration_name.yaml then add

integration_name: !include integration_name.yaml

in config.yaml.

Or am I miss understanding the use of setting up individual configs this way? I just assumed this would limit an integration to only it’s own config file.

For organization not security

Files can be separated to make more human readable and allow config separate in manner logical to user.

Nothing to do with security

secrets.yaml was for security. Remove passwords from config. Not sure how access to this is managed for integration

2 Likes

secrets.yaml is just a txt file to store your passwords etc so that you could exclude the file from being uploaded to git or shared. There isn’t any security on this file i believe

Storing secrets - Home Assistant (home-assistant.io)

4 Likes