It’s really not that hard.
Tap supervisor, and if there’s an update available for core it will be right there at the top of the page. You can set an automation to send you a notification so you don’t even need to check.
Updates for supervisor are automatically applied, so you don’t have to do anything.
Can’t comment on OS, but I suspect it’s just as easy as core.
Not sure what the vulnerabilities are but kudos to the dev team for putting out updates to address. I agree with other comments above that state we are users are ultimately responsible for custom component installations to our systems… But the awareness and responsiveness from the dev team is much appreciated.
Right so my primary gripe is about checking what the latest release version is of these anyway… they do say there are updates available if I happen to go to that page, but then the “release notes” on Core sends me to a blog post about a major version from December, nothing even seems to be posted about the other two. When I see one needs updating, I’d like to verify outside of HA that the other two are up to date. If it’s not hard, can you link me to any place online that shows the current version number of the three of these?
Release notes get added to the blog posts - just scroll down…
So I have to scroll through a bunch of posts and figure out which is talking about OS vs Core vs Supervisor… I was trying to make a nice suggestion to add some tracker at the top of the home page that just has the latest version number of each posted without having to dig. But I guess my internet illiteracy is enough to make everyone angry
FYI, you can access the list of all most-current versions the same way HA checks. You can also make a sensor inside HomeAssistant based on this:
No, you don’t have to scroll through ‘a bunch of posts’ and you don’t have to do any ‘figuring out’ of any such thing.
my primary gripe is about checking what the latest release version is of these anyway
This already exists in your Supervisor System tab.
I’d like to verify outside of HA that the other two are up to date
How do you propose that anything other than your own HA installation is going to know if it’s up to date?
Just here to say thanks! Would love to hear what the issue was. Maybe later, when all vulnerabilities are fixed (by the authors of the custom integrations.) Since it might be a strategy to first have the fixes in place before communicating what is going wrong.
So… the HA team shouldn’t have released their “fix” (nothing in HA was technically broken) to protect against the possible “exploit” and instead, waited for the third party applications, that may have been unscrupulously extracting data about your home on purpose, to remove that behavior from their code?
Okay, I understand not everyone can understand these things but sometimes it’s best to assume we are in good hands and be patient: The fix (filter) is in release .3 that everyone was advised to upgrade to. Regardless of how many, if any, active inappropriateness was out there, HA will now block and log the activity, and we all are reminded that custom code, carries a risk that the HA team cannot be liable for.
If there is one thing about our community that is consistent, everyone is very protective of their precious (Home Assistant), perhaps too much so. 
For everyone that works on HA, thank you for all that you do.
I’m on 2021.1.2 but supervisor is saying new update available to 2021.1.0?
Anyone else get that too? I guess I can just update via terminal
I’ve added a simple card to my HA Core main page to check and highlight any new versions …
type: entities
style: |
ha-card {
color: {% if states('sensor.hass_current_version') != states('sensor.hass_installed_version') %} red {% endif %};
}
entities:
- entity: sensor.hass_current_version
- entity: sensor.hass_installed_version
style:
color: 'var(--version-color)'
sensors.yaml
# Version and Availability
- platform: rest
name: "HASS Current Version"
resource: https://pypi.python.org/pypi/homeassistant/json
value_template: '{{ value_json.info.version }}'
scan_interval: 3600
- platform: command_line
name: "HASS Installed version"
command: "head -5 /home/homeassistant/homeassistant/.HA_VERSION"
Hmm… I appear to be a bit buggered. When I try to update, I get an error. Supervisor says:
You are running an unsupported installation.
Your installtion is running in an unhealthy state.
The fix for the unsupported installation appears to be to… update Home Assistant. However, I cannot update while running in an unhealthy state. It is unclear from the log what is causing me to be in an unhealthy state.
Never had this before.
So… the HA team shouldn’t have released their “fix” (nothing in HA was technically broken) to protect against the possible “exploit” and instead, waited for the third party applications, that may have been unscrupulously extracting data about your home on purpose, to remove that behavior from their code?
No. you misunderstood me or I havent written it down in a proper way (English is not my native tongue).
Let me try again. I dont want my message to be misinterpreted.
First of all: I appreciate it a lot (hence the thank you) that the devs of Home Assistant fixed the issue on the home assistant side and that they did inform us that there is a possible issue outside home assistant. I did not say or intended to say that they shouldn’t have. On the contrary I thank them.
What I meanth is that I would understand that currently they don’t fully explain what custom integration could be causing a possible risk. That’s what I meant with the ‘strategy’. I assumed that if there is an external developer in good faith who wants to fix the issue in custom integration. And that they need some time to fix it. With the immediate treath being stopped there is some time to wait with providing information untill the external software had the opportunity to fix it. And make sure the root cause also is fixed.
Like it is done in cases of data breaches that where possible; explain what happened after it’s fixed to prevent others using the exploit.
I’d love to hear it, because as a newer user I can learn what makes my system vulnerable.
Okay, I understand not everyone can understand these things but sometimes it’s best to assume we are in good hands and be patient: The fix (filter) is in release .3 that everyone was advised to upgrade to. Regardless of how many, if any, active inappropriateness was out there, HA will now block and log the activity, and we all are reminded that custom code, carries a risk that the HA team cannot be liable for.
Wow. Since you reply to my message I feel you see me as a person without trust and patience. I just hope my explanation above helped to make my point. Because the way you describe me as not understanding shows there is incorrect. I have patience and trust. I dont have any demands (only things i would love to see) and am very gratefull to be able to use open source software other wrote in their spare time.
For everyone that works on HA, thank you for all that you do.
And also in that… we find agreement 
Because there was none. This is pro-active mitigation.
I realise English is not your first language but read the announcement again. There is no suggestion that anything bad has happened, just that they (the devs) recognise the possibility it could happen and are reacting to that.
Think of it this way:
Your chicken coup has holes. We want to patch them before the varmints get in. They ain’t got in yet but we see where they could.
Thanks! I did understand but see I didnt write it down properly. I corrected my sentence. Much appreciated. 
I disagree.
There is no way the Hass Team could know if the security hole has been used until now.
So it is not correct to say it has not happened in the exact same way as it is not correct to say it is happened.
I understand that the Hass developers cannot ans should not vet and check custom components.
However what should be done is a better management fo custom components.
By better I mean : some restrictions on capabilities / accesses available to custom components.
I am thinking about a special user to run custom components which is more controlled / walled
I am not knowledgeable enough to understand if this is feasible but something shall be done.
I suggest that maybe next what the heck may be dedicated to security and privacy…