[Package Request] Updates for SynoCli Network Tools

[jonathanweinberg]

Just a heads up about a couple packages within SynoCli Network Tools that are out of date.

Further, as of 2019/07/23, the GNU Screen version being distributed also has a fairly severe CVE that's been since been fixed.

Details below!

If someone wants to do a bit of hand holding with me, I'd be happy to help out in implementing / testing changes needed.

GNU Screen

GNU Screen	---
Version in use	4.0.3
Current version	4.6.2
Specific Escalation CVE	CVE-2017-5618
General CVE's for Product	All CVE's

sshfs

sshfs	---
Version in use	2.10
Current version	3.5.2
Patch Note Urging 3.x	From 2.10 release

socat

socat	---
Version in use	1.7.3.2
Current version	1.7.3.3
Note	Bugfix update.

tmux

tmux	---
Version in use	2.9a
Current version	2.9a
Note	There is an RC 3.0rc3 available.

mosh

mosh	---
Version in use	1.3.2
Current version	1.3.2

nmap

nmap	---
Version in use	7.70
Current version	7.70

fritzctl

fritzctl	---
Version in use	1.4.23
Current version	1.4.23

[ymartin59]

GNU screen is cross-compiled thanks to "heavy" patches which do not seem easy to port to recent versions (already give it a trial): https://github.com/SynoCommunity/spksrc/tree/master/cross/screen/patches
So if you volonteer to work on it, no problem, but my point of view is that tmux is a good replacement and screen may be removed from packages.

[jonathanweinberg]

It's my opinion that it might be a good thing to simply separate screen out and give a mention of potential security flaws existing in the "new" screen package. Recommend the tmux package in the SynoCli package description, over the separate screen package

[hgy59]

GNU screen is cross-compiled thanks to "heavy" patches which do not seem easy to port to recent versions (already give it a trial): https://github.com/SynoCommunity/spksrc/tree/master/cross/screen/patches

The update to screen version 4.8.0 in #4195 works without all these patches 😉

[hgy59]

sshfs update to version > 2.x needs the meson build system that is not yet provided with this framwork.
A lot of the newer GNOME stuff builds with meson only (fuse, glib, ...)

[GwynethLlewelyn]

@ymartin59 please note that SynoCli Network Tools does not work under DSM 7 (currently still in Beta) because allegedly it requires root access (which has been made forbidden under DSM 7+). It would be nice to try to update the package to become DSM 7-compliant.

Note that, fortunately, while DSM 7 Beta 'suspends' the package from running/executing, it did not remove the installed binaries, which (thankfully!) still run! I rely on SynoCli Network Tools for rsync, so I hope that future versions of DSM 7 will still keep the binaries around (at least, until you have a chance to update the whole package).

Also, please note that the other SynoCli packages will not work under DSM 7, either. The above issue is common to all of them.

[hgy59]

@GwynethLlewelyn the DSM7 support for all packages is still under development. See #4215. Contributions on the dsm7 branch are welcome.

[hgy59]

Current stati

• screen 4.8.0
• sshfs (still v2.10)
• socat 1.7.3.4
• tmux 2.9a
• nmap 7.80
• fritzctl 1.4.23

Dedicated package

• mosh 1.3.2

[hgy59]

created #4334 for the remaining request to update sshfs