[Security update] Qfix 1.0.2 for Bash vulnerability

Welcome note and must-know for QNAP Forum members.
User avatar
QNAP Staff
Posts: 5400
Joined: Thu May 21, 2009 2:14 pm
Location: Taipei

[Security update] Qfix 1.0.2 for Bash vulnerability

Post by QNAPJason » Mon Oct 13, 2014 2:22 pm

Qfix 1.0.2

This Qfix fixed the GNU Bash Environment Variable Command Injection Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187)

It includes all of the fixes as of QTS 4.1.1 Build 1003. It is not necessary to install this Qfix patch if you have updated your NAS to QTS 4.1.1 Build1003.

[Applicable firmware]
QTS 3.8.3, QTS 3.8.4, QTS 4.0.7, and QTS 4.1.0.
It is recommended that users upgrade to the above firmware and then apply the Qfix.

[Qfix 1.0.1 vs. 1.0.2]
The difference between Qfix 1.0.1 and 1.0.2 on Bash issue is:
The Qfix 1.0.1 includes the update from Red Hat for the CVE-2014-6277 & 6278.
The Qfix 1.0.2 includes the update from official GNU Bash patch update for the CVE-2014-6277 & 6278.

[Applicable NAS]
All models except for TS-109, 209, and 409.

For TS-109/209/409/409U, please get the new firmware from this post:

[How to install Qfix]
The Qfix can be installed in the following steps:
Download “Qfix for Bash security patch" v1.0.2 from the QNAP website (http://www.qnap.com/download)
Upzip the downloaded file to have a .qfix file
Go to “QTS > Control Panel > System Settings > Firmware Update > Firmware Update” to apply the Qfix.

[Download link]
http://download.qnap.com/Storage/Qfix/Q ... 86_ARM.zip


Return to “Announcements”