Rohan and Phil discuss the 2021.2 release, the security vulnerabilities announced in January 2021, and the new Z-wave JS integration
This month for the first time Home Assistant issued two critical security patches.
Vulnerable to a directory traversal attack via an unauthenticated webview, allowing an attacker to access any file that is accessible by the Home Assistant process. This access includes any credential that you might have stored to allow Home Assistant to access other services (hello secrets.yaml!).
- On January 14th Home Assistant released 2021.1.3 to address a security issue identified with custom components.
- On January 2th Home Assistant released 2021.1.5 to address an additional security issue
- Nabu Casa is blocking remote access to instances older than 2021.1.5 which may be vulnerable
- Security issues were identified with the Home Assistant Community Store (HACS) and several custom components contained within it. If you have HACS installed, or running one of the affected custom components you should upgrade immediately
- Affected custom components include Dwains Lovelace Dashboard, Font Awesome, BWalarm, Simple Icons, Custom Icons, Hass-album and Custom Updater.
Feedback from last episode
- Billy from Episode 70 reminded us that he uses a Garbage Collection Custom Component from Bruxy70.
- Erwin has taken it a step further! Erwin has different schedules for waste, paper, compost and plastic waste collection.Erwin has designed a 3D model of a wheelie bin, with a translucent lid. Using a D1 mini and some LED’s, the mini wheelie bin will flash the colour lid of the bin that needs to go out that week.
Erwin’s Thingiverse: https://www.thingiverse.com/thing:4724584
Alternatives to Dark Sky
Fuzzy Mistborn reached out to us about Dark Sky replacements, and has a few on their blog (links in the show notes) https://blog.fuzzymistborn.com/weather-in-a-post-darksky-world/
Dwain’s Lovelace Dashboard
A brand new Z-wave integration with Home Assistant. You’ll need to be running a Z-wave JS server already. There is an official addon from the Home Assistant Supervisor’s add-on store.
- Allow input_number entity_id as for numeric_state trigger thresholds
- Add service to lock/unlock Sure Petcare pet flaps
- “Significant Changes” for Google Home and Amazon Echo
Home Assistant now has the concept of a significant change. Essentially Home Assistant will prevent reporting small changes to sensors in the recorder and voice assistants. So if a temperature sensor only changes by point 1 of a degree, then that change won’t be sent to Google Home or Amazon Echo.
This should reduce the amount of traffic flowing around these devices, making everything perform a bit better.
- New services added to input_select elements
You can now choose to “cycle” through an input select, or “select first” or “select last” options.
- New service to move Foscam PTZ cameras to a preset
- Logitech Harmony Hub now adds switches for activities
- August, Roomba, DoorBird, Logitech Harmony Hub, Network UPS Tools (NUT), MyQ, Nexia, Hunter Douglas PowerView, Rachio, Tesla Powerwall, NuHeat, have fully transitioned to configuration via UI.
YAML configuration has been removed. Existing YAML configuration has already been imported automatically in the previous releases and can now safely be removed from your configuration files.
- Support for Python 3.7 has been dropped, after being deprecated since Home Assistant 0.116.
- The old zwave integration is now considered legacy and deprecated.
This integration is still based on OpenZwave 1.4, which has been out of active maintenance for quite some time now.
- The plex.play_on_sonos service has been removed and functionality moved to the built-in media_player.play_media service.Existing service payloads can be used as-is after prepending the media_content_id with plex://.
- The speed of the Dyson Pure Cool Link fan is now one of low, medium, and high instead of the original auto and integer 1 to 10.
In order to set the fan speed more precisely and switch auto mode, you should use the services dyson.set_speed and dyson.set_auto_mode.
- RainMachine services now require an entity_id, an area_id, or a device_id parameter to be provided.
You need to check your automations to make sure all RainMachine service calls have those.