132 lines
4.8 KiB
ReStructuredText
132 lines
4.8 KiB
ReStructuredText
|
Gluon 2021.1.2
|
||
|
|
==============
|
||
|
|
|
||
|
|
Important notes
|
||
|
|
---------------
|
||
|
|
|
||
|
|
This release fixes a **critical security vulnerability** in Gluon's
|
||
|
|
autoupdater.
|
||
|
|
|
||
|
|
Upgrades to v2021.1 and later releases are only supported from releases v2018.2
|
||
|
|
and later. Migration code for upgrades from older versions has been removed to
|
||
|
|
simplify maintenance.
|
||
|
|
|
||
|
|
|
||
|
|
Updates
|
||
|
|
-------
|
||
|
|
|
||
|
|
- The Linux kernel was updated to version 4.14.275
|
||
|
|
- The mac80211 wireless driver stack was updated to a version based on kernel
|
||
|
|
4.19.237
|
||
|
|
|
||
|
|
Various minor package updates are not listed here and can be found in the commit
|
||
|
|
log.
|
||
|
|
|
||
|
|
|
||
|
|
Bugfixes
|
||
|
|
--------
|
||
|
|
|
||
|
|
* **[SECURITY]** Autoupdater: Fix signature verification
|
||
|
|
|
||
|
|
A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
|
||
|
|
allows forgery of cryptographic signatures. This vulnerability can be
|
||
|
|
exploited to create a manifest accepted by the autoupdater without knowledge
|
||
|
|
of the signers' private keys. By intercepting nodes' connections to the update
|
||
|
|
server, such a manifest allows to distribute malicious firmware updates.
|
||
|
|
|
||
|
|
This is a **critical** vulnerability. All nodes with autoupdater must be
|
||
|
|
updated. Requiring multiple signatures for an update does *not* mitigate the
|
||
|
|
issue.
|
||
|
|
|
||
|
|
As a temporary workaround, the issue can be mitigated on individual nodes by
|
||
|
|
disabling the autoupdater via config mode or using the following commands::
|
||
|
|
|
||
|
|
uci set autoupdater.settings.enabled=0
|
||
|
|
uci commit autoupdater
|
||
|
|
|
||
|
|
A fixed firmware should be installed manually before enabling the autoupdater
|
||
|
|
again.
|
||
|
|
|
||
|
|
See security advisory `GHSA-qhcg-9ffp-78pw
|
||
|
|
<https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
|
||
|
|
for further information on this vulnerability.
|
||
|
|
|
||
|
|
* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
|
||
|
|
|
||
|
|
The Config Mode was not validating the *Origin* header of POST requests.
|
||
|
|
This allowed arbitrary websites to modify configuration (including SSH keys)
|
||
|
|
on a Gluon node in Config Mode reachable from a user's browser by sending POST
|
||
|
|
requests with form data to 192.168.1.1.
|
||
|
|
|
||
|
|
The impact of this issue is considered low, as nodes are only vulnerable while
|
||
|
|
in Config Mode.
|
||
|
|
|
||
|
|
* Config Mode: Fix occasionally hanging page load after submitting the
|
||
|
|
configuration wizard causing the reboot message and VPN key not to be
|
||
|
|
displayed
|
||
|
|
|
||
|
|
* Config Mode (OSM): Update default OpenLayers source URL
|
||
|
|
|
||
|
|
The OSM feature of the Config Mode was broken when the default source URL was
|
||
|
|
used for OpenLayers, as the old URL has become unavailable. The default was
|
||
|
|
updated to a URL that should not become unavailable again.
|
||
|
|
|
||
|
|
* Config Mode (OSM): Fix error when using ``"`` character in attribution text
|
||
|
|
|
||
|
|
* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
|
||
|
|
interfaces
|
||
|
|
|
||
|
|
Several improvements were made to the error handling of the
|
||
|
|
*respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
|
||
|
|
2021.1) was removed again.
|
||
|
|
|
||
|
|
* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
|
||
|
|
|
||
|
|
* Fix occasional build failure in "perl" package with high number of threads
|
||
|
|
(``-j32`` or higher)
|
||
|
|
|
||
|
|
|
||
|
|
Other improvements
|
||
|
|
------------------
|
||
|
|
|
||
|
|
* Several improvements were made to the status page:
|
||
|
|
|
||
|
|
- WLAN channel display does not require the *respondd-module-airtime* package
|
||
|
|
anymore
|
||
|
|
- The "gateway nexthop" label now links to the status page of the nexthop node
|
||
|
|
- The timeout to retrieve information from neighbour nodes was increased,
|
||
|
|
making the display of the name
|
||
|
|
of overloaded, slow or otherwise badly reachable nodes more likely to
|
||
|
|
succeed
|
||
|
|
|
||
|
|
|
||
|
|
Known issues
|
||
|
|
------------
|
||
|
|
|
||
|
|
* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
|
||
|
|
soft-bricked state due to bad blocks on the NAND flash which the NAND driver
|
||
|
|
before this release does not handle well.
|
||
|
|
(`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
|
||
|
|
|
||
|
|
* The integration of the BATMAN_V routing algorithm is incomplete.
|
||
|
|
|
||
|
|
- Mesh neighbors don't appear on the status page.
|
||
|
|
(`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
|
||
|
|
Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
|
||
|
|
account for the new throughput metric.
|
||
|
|
- Throughput values are not correctly acquired for different interface types.
|
||
|
|
(`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
|
||
|
|
This affects virtual interface types like bridges and VXLAN.
|
||
|
|
|
||
|
|
* Default TX power on many Ubiquiti devices is too high, correct offsets are
|
||
|
|
unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
|
||
|
|
|
||
|
|
Reducing the TX power in the Advanced Settings is recommended.
|
||
|
|
|
||
|
|
* In configurations without VXLAN, the MAC address of the WAN interface is
|
||
|
|
modified even when Mesh-on-WAN is disabled
|
||
|
|
(`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
|
||
|
|
|
||
|
|
This may lead to issues in environments where a fixed MAC address is expected
|
||
|
|
(like VMware when promiscuous mode is disallowed).
|