I’ve been a long time user of TrueNas Scale (since the first alpha), had to create a new login as it seems everything was closed or migrated (slack, forums, etc…)
Qualys just released 2 CVE for SSH [0]
CVE-2025-26466
CVE-2025-26465
They are tracked and solved in Debian on the security-tracker [1].
You’re probably already aware but I think a lot of people will be pushing for this to be released and that’s why I wanted to (re-)open a discussion about updates in general.
I understand your business decision to disable apt completely and ask people to wait for official tested upgrades, but this is putting unnecessary pressure on your team while you could rely on upstream security support.
Why not add the security.debian.org repo by default ? This would allow people to get security only patch on the release day which was probably agreed between qualys and linux distro but not you guys I guess.
Just a thought.
Keep on the great work
Letic
PS :
Seems we can’t post links so I removed them
[0]: https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
[1]: https://security-tracker.debian.org/tracker/source-package/openssh
CVE-2025-26465 and CVE-2025-26466 are medium-level issues (rather than high or critical) for the following reasons:
CVE-2025-26465: The OpenSSH server is only vulnerable if the VerifyHostKeyDNS option is set. This option is not set by default, so a user would have to go to some trouble to be vulnerable to this issue.
CVE-2025-26466: This vulnerability is more of a denial of service / resource hog sort of attack. It’s concerning, but not dangerous like an RCE would be. In the meantime, until we get these fixes into a later release, the best mitigation would be to make sure your NAS is not reachable from the internet in general. (And that’s always the best advice.)
We did know about these particular CVEs – SSH issues in general are very closely watched. But we do appreciate the heads-up, too, so don’t let that keep you from making suggestions.
As I said, I don’t really care myself about the CVE.
I was more interested in the upgrade discussion in general.
I have seen several thread where community was pressing for an update because of some security vulnerability and thought it might be more sustainable to have a way to push upstream update to the repos rather than to have to do a full release
Disclaimer: I don’t work with iX, or on TrueNAS, only an experienced user.
Part of the issue with adding external Distro Repos is that they are not tested with the existing software.
For example, a security update to Python for local user elevation is not too much of a concern for TrueNAS. However, that update might break something in TrueNAS’ Middleware. You might not think that some minor issue with the GUI or TUI caused by such an update is anything to worry about. But, iX is in the business of Enterprise Data Center NAS servers where any issue, minor or major, in the software is something to either support or fix.
Next, while iX is looking at twice a year large / major updates for TrueNAS SCALE, their is nothing stopping minor updates. This would be tested and be fully supported, unlike an external security update that a user installed.
So, what this boils down to, is that the free users want faster updates, and are willing to risk minor, (or major issues), yet iX can’t risk that for it’'s Enterprise customers.
This is not the first, 10th or possibly 100th time this type of issue has come up. Ever since iX released a Linux based TrueNAS, (SCALE), some people think SCALE is a Linux distro. Or that it should be easily or fully modifiable. None of that is the case. TrueNAS is more like a firmware for a targeted purpose.
On the bright side, iX does listen to free users, and will implement suggestions. Plus, free users do help in quality control by reporting bugs before the Enterprise users even get the paperwork ready for updates.
I know Scale quite well as I’ve been using it since January 2021 on my new Ryzen server. And before that I used the old FreeNAS/NAS4Free for more than 10 years
As I didn’t wanted to use K8s I have a fully automated solution with Ansible roles for TrueNas to install and create LXCs and rebuild my full infrastructure. So believe me I went through all the gradual APT lock down with each new version first hand
I still think that they could curate some security update packages for things that have a lower impact risk (like SSH). This would allow to be able to update some packages in between minor version and prevent people from being vulnerable because they don’t want to go through a full upgrade.
For fun I tried to add Bookworm security repo to my instance and saw that some dependencies were missing so it seems that they actually diverted from debian upstream repos which makes my idea unpractical.
Anyway it was just an idea as I’ve suffered the drawbacks of the “Appliance” mode with FreeNAS/NAS4Free and others, and I think an hybrid mode would make sense as it would be quite easy to do on a deb based systems like Scale.
I will continue fiddling on my side to see if it’s possible.
,
