The last half of July brought four new security bulletins. Some little-used DSM versions have yet to be patched. The Tomcat packages are also vulnerable, one of which won’t be fixed.
Synology Security Bulletin SA–18:37 Photo Station brings news of a vulnerability that allows a web session hijack in Photo Station. It’s fixed in version 6.8.7–3481 or above for Photo Station 6.1. It’s resolved in version 6.3–2976 or above for Photo Station 6.3.
The Tomcat packages have a vulnerability as described in [https://www.synology.com/en-us/support/security/Synology_SA_18_38](Synology Security Bulletin SA–18:38 “Jump to the Security Bulletin”). There are no plans to fix Tomcat 6. Tomcat 7 is listed as ongoing. Tomcat isn’t needed for the core functions or the most popular packages. Synology recommends you contact them (see the bulletin) if you use Tomcat 7 and are concerned about the vulnerability.
Synology Security Bulletin SA–18:39 covers a vulnerability in DSM. DSM 6.2, DSM 6.1 and Virtual DSM are all patched in their latest update. Other flavors of DSM are still not fixed.
The Synology Application Service has a vulnerability as described in Synology Security Bulletin SA–18:40. Version 1.5.4–0320 or above of the Synology Application Service fixes the vulnerability.
Synology has begun the beta program for Surveillance Station 8.2. More information is here.