My MyCloud device comes with Linux 3.10.39, today 3.10.104 was released to also fix CVE-2016-5195 and certainly other issues since 3.10.39. Hopefully WD will release an update soon.
If you really think about it, the kernel on my device was compiled in August 2015, 3.10.39 was released in May 2014.
P.S. Don’t come with an apologetic reason WD doesn’t update. I know all reason and I think none of them is valid. WD already used a longterm supported kernel, there is no reason not to keep up to date with it.
Must be wonderful to be omniscient! For one, I’d be interested in your ideas of how this product would be vulnerable. Through what vector? Do you allow people shell access to your NAS?
If your expecting an answer from WD Support chances are good you won’t get one. This is primarily a user to user support forum. If you want an official answer from WD then contact support directly through the WD main website.
One is free to roll their own firmware for the My Cloud using the GPL version that can be downloaded from the WD Support site.
Or one is free to install one of the unofficial OS versions discussed elsewhere in this subforum using SSH. Those unofficial OS versions may have newer versions of Linux, or allow one to do an apt-get without bricking their My Cloud.
That is what I meant. It is an apology for not fixing something. The kernel version on the NAS is 3.10.39, current is 3.10.104 (longterm support kernel). Some security issue during that time are local others were not. I just think that WD should keep the firmware up to date. Especially if it is a long term support kernel.
But isn’t just the kernel, Samba is the most important piece of software because it can’t be turned off and it is the way to use it for most users and the version used on my MyCloud is 4.0.9, is this old version fixed against those security issues? Samba - Security Updates and Information
I don’t suggest that WD should put Samba 4.5 or Linux 4.8 on the machine, I just want a secure device and for most people putting a different OS on it isn’t an option. Also WD made even little modifications rather hard. (Putting a public key into /home/root is possible but after a reboot it is gone.)
And the hole “we need to test and make everything runs fine” argument is also a stretch when you see this while checking which version Samba is:
WARNING: The "null passwords" option is deprecated
WARNING: The "use spnego" option is deprecated
And why am I frustrated? Because these are fixable issues.
For one, I’d be interested in your ideas of how this product would be vulnerable. Through what vector? Do you allow people shell access to your NAS?