There have been two security bulletins (and related updates) so far this month. If you use Media Server, you’ll want to update. People running Media Server 1.4 will want to be on version 1.4-2654 or above, while those running Media Server 1.7 will want to be on version 1.7.6-2842 or above. The vulnerability allows a remote attacker to carry out SQL injection attacks. The security bulletin is Synology SA-18:04 Media Server. This vulnerability earns it’s “Important” rating since it can be exploited remotely and without any user authentication.
The relatively new Synology Drive has a moderate vulnerability that allows authenticated users to inject arbitrary web scripts. The vulnerability is only rated as Moderate since it does require user authentication. Upgrade to Drive 1.0.1-10253 or higher for the patch. See the Synology SA 18:05 Drive for more information. (I’ll just briefly mention that this Drive update triggered a large sync on two Macs, but not on any Android or iOS devices.)
The Calendar package also had a vulnerability identified in security bulletin Synology SA 18:06 Calendar. Like the Drive vulnerability, it allows authenticated users to inject arbitrary web scripts and is rated “Moderate” by Synology. It’s version 2.1.1-0502 (or above) that includes the fix.
Synology also released DSM 6.1.5-1254 which includes a few security updates along with minor enhancements and some bug fixes.
For businesses needing a lot of storage, in a rack-mountable form factor, Synology has released the Synology RS218RP+ NAS. It’s a 3U RackStation with 16 drive bays, expandable to 28 bays.