RuneAudio Forum

Hey,

I know that some people won't like this sort of post, but is runeaudio dead? No progress for years.
Maybe there is some new fork? Just wondering if there will be an update soon and if I can help.

Greetz

Dead? Look here http://www.runeaudio.com/forum/runeaudio-0-4-beta-for-raspberry-pi2-3-t4434.html

°pdi° wrote:Dead? Look here http://www.runeaudio.com/forum/runeaudio-0-4-beta-for-raspberry-pi2-3-t4434.html

Thanks for this source.

°pdi° wrote:Dead? Look here http://www.runeaudio.com/forum/runeaudio-0-4-beta-for-raspberry-pi2-3-t4434.html

Why didn't I see this?

It must be a bit hidden.

Great!!!

There are so many forks here. Why did you ask it? There a lot of interesting and useful info on others pages, just seek it better! Have a good day!

Additionally:

* For a PI Zero/B+ version (also works on legacy Pi models), see here: raspberry-pi-zero-support-in-0-4-t3711-70.html#p20577
* For a Pi 2B/3B version with an updated kernel supporting the latest sound cards, see here: runeaudio-0-3-beta-for-raspberry-pi-t502-520.html#p23625
* If you want to upgrade the kernel of the latest development version, see here: post23634.html#p23634

Hello, please take a look at this post.

The versions of RuneAudio on the official downloads page have known unpatched vulnerabilities such as the KRACK wpa2 vulnerability. By default those downloads also come with SSH enabled and a default username/password printed on the public site. There are newer inofficial/beta versions and instructions for updates scattered throughout the forum, but the documentation page doesn't say anything about that.

Shouldn't a notice be put on the downloads/documentation pages that the versions there are end of life and not receiving security updates?

Edit: There is more. In recent weeks there has been news about exploits against localhost/LAN services through DNS rebinding methods by malicious sites through a LAN users browser.See for example this Ars Technica piece
https://arstechnica.com/information-tec ... -computer/

AFAICT RuneAudio could also be vulnerable to such attacks. What could happen? Well for a start an attacker (or their automatic scripts) could access the /dev page and change stuff. Since RuneAudio has no feature for password restricting access to only some LAN devices. But the gap in updates to RuneAudio also increases the risk that there are unpatched vulnerabilities in Arch, PHP, javascript etc that a DNS rebind attacker could exploit through as a second step.

Ditto. I mean no disrespect either, but in the era of web cameras being hijacked for nefarious purposes, security should be a concern as well as audio capabilities and a well designed UI and system.

My hope is that the current development, which we have been anxiously awaiting for 4 years, unseen by any but a chosen few will address security as well as update concerns along with UI and system improvements.

As for Arch updates, it says somewhere in the Arch docs that piecemeal updating of the system is not supported or encouraged. I believe that the packages and their prerequisites as well as a pacman.conf line or 2 may help alleviate this problem. I'm willing to help if asked.

Gearhead

Another DNS rebinding vulnerability against an application with a localhost webserver. This time the utorrent bittorrent client. https://arstechnica.com/information-tec ... downloads/ As I described above it looks like RuneAudio is vulnerable to the same basic method of access.