rclone version and security concern

[kiriak]

Maybe not a major issue, but there is a recommendation to update rclone due to less strong passwords in certain versions

https://en.wikipedia.org/wiki/Rclone

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28924


According to posts in the following thread, the user cannot update the rclone

https://www.truenas.com/community/threads/how-to-update-rclone.84684/


In my test TrueNAS setup with the latest Core version, the rclone is 1.53.1 I think.
Is this a concern regarding encrypted cloud backups?

 

[Kris Moore]

Go ahead and toss us a ticket on https://jira.ixsystems.com so we can investigate bringing in a newer version.

 

[kiriak]

Oh....
you are trying to teach an old dog new tricks

anyway, I'll see what I can do ..........

 

[kiriak]

can someone explain to me please?

trying to understand how to open a ticket, I found this

https://jira.ixsystems.com/browse/NAS-111588?workflowName=Software+Workflow+for+Bugs&stepId=44

do this mean that the rclone version has already been upgraded (even for another reason) from the upcoming TrueNAS 12.0 U6 ?

 

[NugentS]

Looks to me like U6 has 1.56 in it

 

[kiriak]

Unfortunately,
my newly installed U6 still reports rclone v.1.53.1-DEV

 

[Samuel Tai]

Unfortunately,
my newly installed U6 still reports rclone v.1.53.1-DEV

Confirmed. On my 12.0-U6, I see:

Code:

root@raven:~ # rclone --version
rclone v1.53.1-DEV
- os/arch: freebsd/amd64
- go version: go1.16.4

 

[winnielinnie]

The ticket says
Status: Done
Fix Version(s): 12.0-U6

But like @Samuel Tai and @kiriak, I just confirmed on U6, it is 1.53.1-DEV

 

[Samuel Tai]

Looking at the actual git commits in https://jira.ixsystems.com/browse/NAS-111588, it's not a full upgrade to 1.56, but a minor backport of a file validity check to stop assuming a non-zero-size object is a file:

Code:

net/rclone/Makefile

# $FreeBSD$
 
PORTNAME= rclone
-PORTREVISION= 2
+PORTREVISION= 3
DISTVERSIONPREFIX= v
DISTVERSION= 1.53.1
CATEGORIES= net

Code:

net/rclone/files/patch-backend__drive__drive.go
--- backend/drive/drive.go.orig
+++ backend/drive/drive.go
@@ -1321,8 +1321,8 @@ func (f *Fs) newLinkObject(remote string, info *drive.File, extension, exportMim
 //
 // When the drive.File cannot be represented as an fs.Object it will return (nil, nil).
 func (f *Fs) newObjectWithInfo(remote string, info *drive.File) (fs.Object, error) {
- // If item has MD5 sum or a length it is a file stored on drive
- if info.Md5Checksum != "" || info.Size > 0 {
+ // If item has MD5 sum it is a file stored on drive
+ if info.Md5Checksum != "" {
   return f.newRegularObject(remote, info), nil
  }
 
@@ -1355,8 +1355,8 @@ func (f *Fs) newObjectWithExportInfo(
   // Pretend a dangling shortcut is a regular object
   // It will error if used, but appear in listings so it can be deleted
   return f.newRegularObject(remote, info), nil
- case info.Md5Checksum != "" || info.Size > 0:
-  // If item has MD5 sum or a length it is a file stored on drive
+ case info.Md5Checksum != "":
+  // If item has MD5 sum it is a file stored on drive
   return f.newRegularObject(remote, info), nil
  case f.opt.SkipGdocs:
   fs.Debugf(remote, "Skipping google document type %q", info.MimeType)