0.73.2 - Security Incident

Today we are releasing 0.73.2 to fix a security incident. We've discovered that 9 months ago, with the 发布 of Home Assistant 0.56, we misconfigured the SSL context that aiohttp used (PR). By trying to do the right thing (use an up to date cert store instead of relying on the system certs), we ended up doing the complete opposite: SSL verification was disabled for outgoing requests that were done using the shared aiohttp session. This is our fault, and not aiohttp's faults. The impact of this is that certain 集成 in Home Assistant have been susceptible to man in the middle attacks.

A man in the middle attack is when an attacker is able to inject itself between you and the server you're communicating with, allowing it to read and alter the communication. The odds of this happening at home is very rare, yet we wanted to be transparent about this incident.

After research, the following 集成 have been impacted. Although the odds are extremely small, we still suggest that if you use any of these 集成, to create new API keys or change your 密码.

温控.sensibo
cloud (only short lived tokens impacted)
device_tracker.automatic
duckdns
freedns
google_assistant (manual 设置)
google_domains
homematicip_cloud
image_processing.openalpr_cloud
microsoft_face
namecheapdns
no_ip
notify.flock
notify.prowl
rest_command
场景.lifx_cloud
开关.rest
telegram_bot.polling
tts.voicerss

Also impacted, but 集成 are read only:

If you are running Home Assistant on a system with Python 3.4, we've 创建 a new 发布 0.64.4b0 with the patch applied. We have made it available as a beta. To 安装 the pre-发布 run python3 -m pip install homeassistant==0.64.4b0.

For complete transparency, the following two sets of 集成 also used aiohttp to send or retrieve data. However, they either did not transmit 认证 or only communicated with local 设备 and 服务.

Affected, but not transmitting 认证:

Local, so cannot be impacted:

#0.73.2 - Security Incident

0.73.2 - Security Incident