Critical DSM Update: DSM 6.1.3-15152-4

Synology has released an update to it’s DSM software. DSM 6.1.3–15152 Update 4 fixes some bugs that could cause data lose in some specific situations. If you use the new Btrfs file or have less than three hard drives installed then the data loss bug won’t affect you, although you should still apply the update as it contains other bug fixes.

If your NAS meets the following criteria then you’ll want to take additional steps after installing the update:
* The server is using RAID 5, RAID 6, RAID F1, or SHR with more than 3 disks.
* The volume is created on EXT4 file system.
* The server is running on DSM 6.0.2–8451 and above.

If your NAS meets the above criteria, or you just want to be safe, you’ll need to do RAID scrubbing after the update. RAID scrubbing may take several hours depending on the volume or disk group size. You can use the NAS normally, although performance may be impacted. Don’t turn off your NAS until scrubbing finished.

To start RAID scrubbing, open Storage Manager and select either Disk Group or Volume depending on your NAS configuration. (If you have disk groups available then do the scrubbing from there.) Then select Manage and run the Wizard for RAID scrubbing.

Click Manage to start the wizard
Select Performa RAID Scrubbing and run the wizard

Synology has said that the following NAS models should upgrade as soon as possible as they are potentially affected by this bug.

17 series: RS18017xs+, RS4017xs+, RS3617xs+, RS3617xs, RS3617RPxs, DS3617xs, DS1817+, DS1817, DS1517+, DS1517

16 series: RS18016xs+, RS2416+, RS2416RP+, RS816, DS916+, DS716+II, DS716+, DS416play, DS416slim, DS416j, DS416

15 series: RS815+, RS815RP+, RS815, RC18015xs+, DS3615xs, DS2415+, DS2015xs, DS1815+, DS1515+, DS1515, DS715, DS415+, DS415play

14 series: RS3614xs+, RS3614xs, RS3614RPxs, RS2414+, RS2414RP+, RS814+, RS814RP+, RS814, RS214, DS414slim, DS414j, DS414

13 series: RS10613xs+, RS3413xs+, DS2413+, DS1813+, DS1513+, DS713+, DS413j, DS413

12 series: RS3412xs, RS3412RPxs, RS2212+, RS2212RP+, RS812+, RS812RP+, RS812, DS3612xs, DS1812+, DS1512+, DS712+, DS412+

11 series: RS3411xs, RS3411RPxs, RS2211+, RS2211RP+, RS411, DS3611xs, DS2411+, DS1511+, DS411+II, DS411+, DS411slim, DS411j, DS411

Synology described the bug in an email by writing:

The issue was brought to our attention a few weeks ago when the NAS communities discussed the potential data integrity threat that may occur after a RAID 5 repair. In-house investigation revealed the issue stems from Linux feature known as skip_copy. This open source feature contains a slight design fault that may lead to potential data corruption after a RAID array is repaired from degrade mode. Synology team moved quickly to identify and reproduce the issue, which is resolved in the latest DSM 6.1.3 update.

The update fixes additional issues so it is appropriate for many models not affected with the data integrity bug. The complete list of fixes is:

  1. Fixed HDD hibernation issues to enhance HDD compatibility.
  2. Enhanced overall stability of iSCSI services.
  3. Fixed compatibility issues with VMware environments.
  4. Fixed multiple security vulnerabilities regarding Linux Kernel (CVE–2017–7533, CVE–2017–10661, CVE–2017–10662, CVE–2017–10663).
  5. Enhanced the stability of RAID 5, RAID 6, RAID F1, & SHR.

Synology Releases DiskStation DS418j

New product posting tileSynology has released a new NAS, the DS418j. The J series comprise Synology’s entry level NAS models in which this is the flagship model. The DS418j contains four drive bays and can accommodate up to 40 TB with todays largest capacity drives. The DS418J does not support the new BTRFS file system.

Two camera licenses are included for Surveillance Station and 5 VPN connections are supported by the VPN Server package.

The DS418j is currently available in the U.S. from Amazon.com from 3rd party sellers that are currently charging a premium. Amazon itself has it listed for a significantly lower price ($299) than the 3rd party sellers but it is out of stock. It can be backordered to get the $299 price. NewEgg has it in stock for $299 with free shipping.

The DS416J is still available and at a reduced price (at least it should be reduced. This link will compare the models (it may break when the DS416j is officially discontinued).

Manually Renewing Let’s Encrypt Certificates on a Synology NAS

Let’s Encrypt (LE) is a great service that offers free SSL certificates for websites and similar uses. It’s important to understand that this verifies the site name and provides encryption for traffic to and from the site or device, but it doesn’t verify who owns the site. While you need to verify that you control the site, you don’t provide any identity information. If you’re running an e-commerce website you’ll want to pay for a more enhanced certificate. But if you just want to encrypt communication between your devices and the NAS then this is a great solution.

The initial setup is well documented by Synology, and easily run by stepping through a wizard. The Let’s Encrypt certificates are only valid for 90 days. While the Synology NAS will automatically renew certificates that are over 60 days old, port 80 must be open in order for this to work. The validation process for renewal is done using only port 80, unlike the initial installation port 443 does not need to be open.

In some cases it is not practical or wise to keep port 80 open all the time. For example, I don’t need port 80 open to the internet for my home NAS. Since it is a well know port nefarious people are constantly scanning for port 80 on the internet. Since I don’t need it for anything I’d prefer to just keep it shut down at the router and not worry about it. Even if security wan’t a concern I just want to keep the traffic from these unnecessary scans off my network.

Opening port 80 after 59 days is an option, but not one I like. The Let’s Encrypt client on Synology will try the renewal whenever it gets around to it, which could be several days. Plus, it’s additional work I have to remember to do.

I can manually renew the certificate, and this is my preferred method. It is a manual process but it’s quick (about 5 minutes). Port 80 is open to the internet, but only for that short time.

Manual Let’s Encrypt Certificate Renewal

This has worked for me since DSM 6 and still works with the latest version, DSM DSM 6.1.1-15101 Update 4. The screenshots are from the slightly older DSM 6.1.1-15101 Update 2.

This procedure works if the certificate is within 30 days of it’s expiration date. The date will be displayed in orange when it’s within 30 days of expiration.

This certificate is within 30 days of expiration.
  • Configure your router to forward port 80 to your Synology NAS. This will vary by router but will be the same as during the initial Let’s Encrypt certificate installation.
  • Enable SSH on your Synology NAS:

 

Screen to enable SSH on Synology
  • Open Terminal on your computer. I use Terminal on Mac OS (OS X). On Windows use any terminal application that supports SSH. Putty is a popular choice. You can also use any iOS or Android app that supports SSH. (I like Prompt on the iPad.)
  • Issue the command SSH *adminid*@*NASipADDRESS* where adminid is a user on your NAS that is a member of the administrators group. NASipADDRESS is the IP address of you NAS (or use a name if it resolves to an IP address.) 
Example:

    The home directory error in the example does not affect this procedure and may or may not appear for you.
  • The renewal needs to be done as root, not any old administrator ID. So issue the command sudo -i. Enter your administrator ID password at the password prompt. (The same password you just used to log on to the NAS.)Issue the sudo -i command in terminal
  • Now it’s time to actually renew the certificate. Enter the command /usr/syno/sbin/syno-letsencrypt renew-all -v

The -v is optional. It means verbose and will display any messages. If you don’t use verbose mode then no success or failure message is displayed. You’ll have to check the status in the DSM Control Panel.

Success:

Certificate screen in DSM after successful renewal
Control panel after a successful renewal
Success message on the command line (if -v used)
  • Turn off forwarding of port 80 and disable SSH on the Synology NAS (undo steps 1 & 2)

Your certificate has been renewed for another 90 days. Some Synology mobile apps may warn you of a certificate change which can be annoying. Some apps may stop working until the certificate change is approved. DS Note is the one that catches me all the time so my checklist includes running it after the manual renewal. This happens whether or not this manual method is used or if port 80 is kept open and the renewal is automatic. This is another reason I like manual renewals, since I will be expecting the certificate change and can proactively approve it.

The following screenshot shows the error message displayed (again, only if -v is used) if port 80 isn’t forwarded.

Error displayed in terminal if port 80 isn't forwarded correctly.
Errors if port 80 isn’t forwarded correctly.

DiskStation Manager 5.2-5967-2 Released

Synology released a security update for DiskStation Manager 5. DSM 5.2-5967-2 applies the workaround to mitigate a security vulnerability of libupnp module (CVE-2016-6255).

This duplicates the same patch for DSM 6 that was released last week. Unlike the DSM 6 version of this update, a reboot of the NAS was done.

This Week’s Synology Package Updates (July 22, 2016)

Synology updated nine DiskStation Manager 6 packages this past week. Photo Station was the only package to get updated on DiskStation Manager 5 where it’s changes mirrored the changes in the DSM 6 version of the package. Mail Station was the only package to get a security specific fix. Here’s a roundup of the changes.

CardDAV Server

CardDAV Server has been updated to version 6.0.2-0077 which includes the following changes:

  1. Supports exporting multiple contacts to a VCF file.
  2. Fixed an issue where contacts might not be deleted when the confirmation page was too long.
  3. Fixed an issue where managing contact information might fail when it contained a “ ‘ ” or “ ” character.
  4. Minor bug fixes.

Mail Server

Mail Server has been updated to version 1.6.1-0484 with the following changes:

  1. Supports auto updates via Package Center.
  2. Fixed an issue where the added certificate might be reset to the default certificate after Mail Server upgraded.
  3. Minor bug fixes.

Mail Station

Mail Station has been updated to version 20160707-0277 which includes the following updates:

  1. Supports auto updates via Package Center.
  2. Upgraded Roundcube to version 1.2.0.
  3. Fixed a security vulnerability (CVE-2016-5103).
  4. Minor bug fixes.

Photo Station

Photo Station was updated to version 6.5.2-3225 on DiskStation Manager 6 and version 6.3-2964 on DiskStation Manager 5. Both versions contain the same changes which are:

  1. Fixed an issue where photos might not display properly when album names contain special characters in Personal Photo Station.
  2. Fixed an issue where the content of an email notification sent from Photo Station might not display properly on certain mail clients.
  3. Added an optional toggle for map display in lightbox mode.
  4. Minor bug fixes.

Video Station

Video Station has been updated to version 2.1.1-1229 with the following fixes:

  1. Fixed an issue where the TV recording function might not work properly in Australia and Germany.
  2. Fixed an issue where editing video info might not work properly.
  3. Fixed an issue where public sharing might fail on DS216play.
  4. Fixed an issue where subtitles might not display properly in Safari.
  5. Minor bug fixes.

WebDAV Server

Webdav Server has been updated to version 2.3.0-0020 with the following changes:

  1. Supports configuring subfolder permissions independent of parent folder permissions.
  2. Fixed an issue where Cyberduck might fail to connect to WebDAV Server via HTTPS.
  3. Fixed an issue where autoblock might malfunction when reverse proxy was set up on WebDAV Server.
  4. Minor bug fixes.

Hyper Backup

Hyper Backup has been updated to version 1.1.0-0215 with the following fixes:

  1. Fixed an issue where integrity check results might be incorrect when target size is over 50GB.
  2. Fixed minor issues with the integrity check mechanisms.
  3. Fixed an issue where a Remote Copy task (legacy task type) to rsync server cannot be properly created.
  4. Fixed an issue where multi-version backup to public cloud destinations might use too much local space for cache.
  5. Fixed the false alarm of integrity check due to time resolution issue on FAT file system.

Hyper Backup Vault

Hyper Backup Vault has been update to version 1.1.0-0140 in order to be compatible with Hyper Backup 1.1.0-0215.

Log Center

Log Center has been updated to version 1.0.34-0035 which fixed an issue where Log Center might stop working when the “Archive logs separately according to device” option is enabled.

DiskStation Manager 6.0.1-7393-2 Released

Synology released a security update for DiskStation Manager 6. DSM 6.0.1-7393-2 applies the workaround to mitigate a security vulnerability of libupnp module (CVE-2016-6255).

The update did not do a full reboot (although the release notes say a manual reboot is required for systems using Wi-Fi dongles) but it does restart several services. I seen restarts for QuickConnect, Audio Station, Download Station, Media Station and Video Station. This isn’t a complete list so you should anticipate other services being restarted.

This Week’s Synology Package Updates (July 15, 2016)

It was a slow week for Synology package updates. If you’re running DiskStation Manager 6 and Download Station then there’s an update for you.

Download Station

Download Station was updated to version 3.7.2-3335 which includes the following fixes:

  1. Fixed an issue where creating download tasks via BT/eMule might fail.
  2. Fixed an issue where download tasks from Dailymotion and Rapidgator might fail.
  3. Fixed an issue where creating multiple download tasks via gofile.me links at one time might fail.
  4. Fixed an issue where download/upload rate settings for BT and eMule might not work correctly.
  5. Fixed an issue where changing file-sharing folders of eMule might fail during non-scheduled time.
  6. Fixed an issue where searching BT files might fail.
  7. Minor bug fixes.

This Week’s Synology Package Updates (July 8, 2016)

It was a relatively slow week when it came to DiskStation Manager package updates this past week. While there were a handful of packages updated they were all related to Hyper Backup or Cloud Station.

DiskStation Manager 6 Packages Updated

Hyper Backup

Hyper Backup was updated to version 1.1.0-0209 which includes several nice new features. Dropbox and Google Drive have been added as backup destinations along with over a dozen other enhancements, improvements and bug fixes.

What’s New

  1. Supports checking backup index files to know if any is tampered in previous backup/restoration
  2. Supports checking backup integrity to know if any error occurs due to corrupted destination data
  3. Offers backup statistics to monitor the source size and destination usage
  4. Added alert notification to inform users of abnormal changes on source files or insufficient destination storage (available for DSM 6.0.1 or later)
  5. Added support for backup to WebDAV servers
  6. Added support for backup to Dropbox (including Dropbox Pro and Dropbox Business)
  7. Added support for backup to Google Drive
  8. Added support for backup to the Washington region of IBM Softlayer
  9. Preserves Mac file attributes when performing local copy to HFS+ external storage devices.

Improvements

  1. Enhanced transfer speed and network fault tolerance for backup to public clouds
  2. Enhanced restoration speed of Backup Explorer
  3. Enhanced restoration and relinking speed for the Btrfs file system.

Fixed Issues

  1. Fixed the compatibility issue where backup to an encrypted shared folder might fail on certain models
  2. Fixed an issue where backup/restoration processes might consume system memory
  3. Fixed an issue where non-admin users might fail to back up data to NTFS USB drives
  4. Fixed an issue where Backup Explorer might fail to display more than 1000 files in an encrypted task
  5. Fixed an issue where NAS devices unbound from a high-availability cluster might run duplicate backup tasks.

Hyper Backup Vault

Hyper Backup Vault was updated to version 1.1.0-0134 which fixed compatibility issues with Hyper Backup.

Cloud Station Server

Cloud Station Server was update to version 4.1.0-4224 which contained two changes:

  1. Enhanced the performance of Cloud Station Server database upgrade.
  2. Fixed an issue where locked files might cause client apps to crash.

Connected clients, including Cloud Station Backup clients, were automatically updated to the version 4.1-4224 client.

Synology seems to have confused there own versioning syntax. The Cloud Station Server release notes contain identical entries for Version 4.1.0-4224 and 4.1-4224. The server reflects the former while the client reflects the later.

Cloud Station ShareSync

Cloud Station ShareSync, which is the Cloud Station Client package that runs on a Synology NAS was updated to version 4.1.0-4224 which fixed an issue where locked files might cause client apps to crash.

DiskStation Manager 5 Package Updates

Cloud Station Client

Cloud Station Client, was updated to version 4.1.-4223 which fixed an issue where locked files might cause client apps to crash.

Functionally the Cloud Station ShareSync (on DSM 6) and Cloud Station Client (on DSM 5) packages are the same. Synology just hasn’t aligned them with the newer ShareSync moniker.

This Week’s Synology Package Updates (July 1, 2016)

Synology released a handful of package updates this past week plus one entirely new package. DiskStation Manager 5 is still getting package updates and received updates to Cloud Sync and Surveillance Station. While DiskStation Manager 6 saw updates for VPN Server, Cloud Sync, MailPlus, MailPlus Server.

If you run MailPlus on your Synology NAS then you were introduced to the Synology Application Service which is not required for MailPlus (the client, not the server).

DSM 6 Packages

Synology Application Service

The Synology Application Service is a new service that was released on June 30th which Synology describes as “…you can enhance notification services and customize your personal profile by configuring your own nickname and profile photos.”

It is required by the latest MailPlus package and will be installed if you update that package. The release notes say is supports DSM push notifications.

VPN Server

VPN Server was updated to version 1.3.2-2738 which fixed an issue where PPTP services might fail on certain Synology NAS models after upgrading to DSM 6.0.1.

CloudSync

CloudSync was updated to version 2.1.0-0767 and contains a laundry list of new features, improvements and bug fixes.

Compatibility and Installation

  1. Upgrading to Cloud Sync 2.1.0-0767 is required to create a new cloud sync task without authentication error.

What’s New

  1. Added support for Microsoft Azure Cloud Storage and Azure China
  2. Added support for BackBlaze B2 Cloud Storage
  3. Added support for local last modification time on hubiC, MegaFon, OpenStack Swift, Google Cloud Storage, Microsoft Azure, and BackBlaze B2 Cloud Storage
  4. Added support for SSL verification options
  5. You can now customize the upload part size for Amazon S3 and OpenStack Swift in the task creating wizard
  6. Cloud Sync overview window is resizable.

Improvements

  1. Enhanced algorithm to strengthen the encryption mechanism
  2. Filtered out invalid file extensions for OneDrive for Business
  3. Filtered out file paths longer than 208 characters on OneDrive for Business.

Fixed Issues

  1. Dropbox API has been updated to avoid longpoll looping issues
  2. Fixed an issue where local sync folder may be lost after restoring snapshot
  3. Fixed an issue where file conflict may be wrongly detected for OneDrive for Business
  4. Fixed an issue where resumed downloads may loop on WebDAV
  5. Fixed an issue where sync may fail if files are renamed multiple times
  6. Fixed an issue where renaming Google document files on the server may duplicate the file extension.
  7. Fixed an issue where files may conflict in “Upload local changes only” sync mode
  8. Fixed an issue where files with file names containing [ may be out of sync
  9. Fixed an issue where Amazon S3 multi-part upload may cause memory leak
  10. Fixed an issue where removing subtasks may cause the server to be unable to detect file changes
  11. Fixed an issue where Amazon Cloud Drive may loop when it has no access privilege to a certain file
  12. Fixed Dropbox error code 301
  13. Fixed OneDrive error code 401 on large file uploads
  14. Fixed OneDrive error code 420
  15. Fixed Amazon Cloud Drive error codes 409 and 429.

MailPlus

The MailPlus Client has been updated to version 1.3.0 with the following changes.

  1. Supports Push Notification Service (requires MailPlus/MailPlus Server 1.1.0 or above)
  2. Supports OpenPGP for email encryption and decryption (requires MailPlus/MailPlus Server 1.1.0 or above)
  3. Supports passcode lock to protect user privacy
  4. Enhanced message loading performance
  5. Minor bug fixes

MailPlus Server

The MailPlus Server has been updated to version 1.1.0-0208 with the following changes:

  1. Supports STARTTLS in the high-availability cluster.
  2. Enhanced server performance.
  3. Optimized setup procedure for creating the high-availability cluster.
  4. Fixed an issue where LDAP user accounts might be disabled under certain circumstances.
  5. Minor bug fixes.

DSM 5 Packages

CloudSync

CloudSync was updated to version 1.0-0484 with it’s own laundry list of changes:
Compatibility and Installation

  1. Upgrading to Cloud Sync 2.1.0-0484 is required to create a new cloud sync task without authentication error.

What’s New

  1. Added support for file integrity checks when downloading files from OneDrive.
    Improvements
  2. Enhanced algorithm to strengthen the encryption mechanism.

Fixed Issues

  1. Fixed an issue where local sync folder may lost after restoring the snapshot
  2. Fixed an issue where Amazon Cloud Drive may fail when it has no access privilege to a certain file
  3. Fixed a last modified time miscalculation issue resulting from daylight saving
  4. Fixed an issue where Amazon S3 multi-part upload may cause memory leak
  5. Fixed an issue where sync may fail in “Upload local changes only” sync mode
  6. Fixed an issue where files may conflict in “Upload local changes only” sync mode
  7. Fixed an issue where files uploaded to Amazon Cloud Drive may be corrupted
  8. Fixed OneDrive error code 420
  9. Fixed Dropbox error code 301
  10. Fixed Amazon Cloud Drive error codes 409 and 429.

Surveillance Station

Surveillance Station has been updated to version 7.1-4152 with the following changes:

Compatibility and Installation

  1. Surveillance Station 7.1-4152 can only be installed on Synology products running on DSM 5.0 to DSM 5.2.

Fixed Issues

  1. Fixed an issue where the the recordings may not display the file name containing Chinese characters properly when downloaded from “Timeline” or “Smart Search”.
  2. Fixed an issue where the recording rotation may not function properly when a recording size is over 2GB.
  3. Fixed an issue where the camera migration and/or the mounting of recordings from recording servers may not work properly when such servers have joined a domain.
  4. Fixed an issue where IP cameras may not work properly when installed with I/O Module.
  5. Enhanced “Live View” interface stability.
  6. Fixed an issue where, under a few circumstances, the recording files from recording servers in a CMS architecture may not be synced to the host server.
  7. Fixed an issue where the playback of audio from cameras may fail on Safari.
  8. Minor bug fixes.