Security Alert! All SinoVoip provided OS images insecure!

tkaiser · May 3, 2016, 11:02am

Just for your information. All OS images provided by SinoVoip for M2+ are affected by a local privileges escalation security flaw that might be remotely exploitable if the board is connected to network/internet: http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/

I informed SinoVoip 3 days ago but as usual they don’t give a shit about fixing things or security in general: https://github.com/BPI-SINOVOIP/BPI-M2P-bsp/issues/1

Only OS image that fixed this security flaw already is Armbian 5.10.

sinovoip · May 3, 2016, 11:08am

note this , thank you .

tkaiser · May 3, 2016, 11:15am

Great, now action is required. Not only pressing on Like buttons. Updating kernel, updating all OS images, removing outdated crap from download section, start to behave responsibly.

Bye bye

Tido · May 3, 2016, 1:00pm

There are 2 downloads available, one is Android. This is a developer board and will not ship in the thousands, calm down take it easy

sinovoip · May 4, 2016, 1:27am

OK ,we have fixed this issue on our github

sinovoip · May 4, 2016, 3:02am

for BPI-M3 update to fixed this issue:

tkaiser · May 4, 2016, 6:16am

This is not a fix, reasons below: https://github.com/BPI-SINOVOIP/BPI-M3-bsp/issues/10#issuecomment-216756072

When do you start to provide online updates. It’s sooooooooooooo easy and we’ve told you several times. For your users it has to be enough to get the latest and greatest fixes to simply do just an ‘apt-get update/upgrade’ on Debian distros. And on the others provide a script that verifies authenticated installer packages before they are installed.