docs: import v2021.1.2 release notes and update README
This commit is contained in:
parent
9aaeda8df3
commit
605c7e0806
@ -30,7 +30,7 @@ the future development of Gluon.
|
|||||||
|
|
||||||
Please refrain from using the `master` branch for anything else but development purposes!
|
Please refrain from using the `master` branch for anything else but development purposes!
|
||||||
Use the most recent release instead. You can list all releases by running `git tag`
|
Use the most recent release instead. You can list all releases by running `git tag`
|
||||||
and switch to one by running `git checkout v2021.1 && make update`.
|
and switch to one by running `git checkout v2021.1.2 && make update`.
|
||||||
|
|
||||||
If you're using the autoupdater, do not autoupdate nodes with anything but releases.
|
If you're using the autoupdater, do not autoupdate nodes with anything but releases.
|
||||||
If you upgrade using random master commits the nodes *might break* eventually.
|
If you upgrade using random master commits the nodes *might break* eventually.
|
||||||
|
@ -5,6 +5,7 @@ Release Notes
|
|||||||
:caption: Gluon 2021.1
|
:caption: Gluon 2021.1
|
||||||
:maxdepth: 2
|
:maxdepth: 2
|
||||||
|
|
||||||
|
v2021.1.2
|
||||||
v2021.1.1
|
v2021.1.1
|
||||||
v2021.1
|
v2021.1
|
||||||
|
|
||||||
|
131
docs/releases/v2021.1.2.rst
Normal file
131
docs/releases/v2021.1.2.rst
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
Gluon 2021.1.2
|
||||||
|
==============
|
||||||
|
|
||||||
|
Important notes
|
||||||
|
---------------
|
||||||
|
|
||||||
|
This release fixes a **critical security vulnerability** in Gluon's
|
||||||
|
autoupdater.
|
||||||
|
|
||||||
|
Upgrades to v2021.1 and later releases are only supported from releases v2018.2
|
||||||
|
and later. Migration code for upgrades from older versions has been removed to
|
||||||
|
simplify maintenance.
|
||||||
|
|
||||||
|
|
||||||
|
Updates
|
||||||
|
-------
|
||||||
|
|
||||||
|
- The Linux kernel was updated to version 4.14.275
|
||||||
|
- The mac80211 wireless driver stack was updated to a version based on kernel
|
||||||
|
4.19.237
|
||||||
|
|
||||||
|
Various minor package updates are not listed here and can be found in the commit
|
||||||
|
log.
|
||||||
|
|
||||||
|
|
||||||
|
Bugfixes
|
||||||
|
--------
|
||||||
|
|
||||||
|
* **[SECURITY]** Autoupdater: Fix signature verification
|
||||||
|
|
||||||
|
A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
|
||||||
|
allows forgery of cryptographic signatures. This vulnerability can be
|
||||||
|
exploited to create a manifest accepted by the autoupdater without knowledge
|
||||||
|
of the signers' private keys. By intercepting nodes' connections to the update
|
||||||
|
server, such a manifest allows to distribute malicious firmware updates.
|
||||||
|
|
||||||
|
This is a **critical** vulnerability. All nodes with autoupdater must be
|
||||||
|
updated. Requiring multiple signatures for an update does *not* mitigate the
|
||||||
|
issue.
|
||||||
|
|
||||||
|
As a temporary workaround, the issue can be mitigated on individual nodes by
|
||||||
|
disabling the autoupdater via config mode or using the following commands::
|
||||||
|
|
||||||
|
uci set autoupdater.settings.enabled=0
|
||||||
|
uci commit autoupdater
|
||||||
|
|
||||||
|
A fixed firmware should be installed manually before enabling the autoupdater
|
||||||
|
again.
|
||||||
|
|
||||||
|
See security advisory `GHSA-qhcg-9ffp-78pw
|
||||||
|
<https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
|
||||||
|
for further information on this vulnerability.
|
||||||
|
|
||||||
|
* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
|
||||||
|
|
||||||
|
The Config Mode was not validating the *Origin* header of POST requests.
|
||||||
|
This allowed arbitrary websites to modify configuration (including SSH keys)
|
||||||
|
on a Gluon node in Config Mode reachable from a user's browser by sending POST
|
||||||
|
requests with form data to 192.168.1.1.
|
||||||
|
|
||||||
|
The impact of this issue is considered low, as nodes are only vulnerable while
|
||||||
|
in Config Mode.
|
||||||
|
|
||||||
|
* Config Mode: Fix occasionally hanging page load after submitting the
|
||||||
|
configuration wizard causing the reboot message and VPN key not to be
|
||||||
|
displayed
|
||||||
|
|
||||||
|
* Config Mode (OSM): Update default OpenLayers source URL
|
||||||
|
|
||||||
|
The OSM feature of the Config Mode was broken when the default source URL was
|
||||||
|
used for OpenLayers, as the old URL has become unavailable. The default was
|
||||||
|
updated to a URL that should not become unavailable again.
|
||||||
|
|
||||||
|
* Config Mode (OSM): Fix error when using ``"`` character in attribution text
|
||||||
|
|
||||||
|
* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
|
||||||
|
interfaces
|
||||||
|
|
||||||
|
Several improvements were made to the error handling of the
|
||||||
|
*respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
|
||||||
|
2021.1) was removed again.
|
||||||
|
|
||||||
|
* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
|
||||||
|
|
||||||
|
* Fix occasional build failure in "perl" package with high number of threads
|
||||||
|
(``-j32`` or higher)
|
||||||
|
|
||||||
|
|
||||||
|
Other improvements
|
||||||
|
------------------
|
||||||
|
|
||||||
|
* Several improvements were made to the status page:
|
||||||
|
|
||||||
|
- WLAN channel display does not require the *respondd-module-airtime* package
|
||||||
|
anymore
|
||||||
|
- The "gateway nexthop" label now links to the status page of the nexthop node
|
||||||
|
- The timeout to retrieve information from neighbour nodes was increased,
|
||||||
|
making the display of the name
|
||||||
|
of overloaded, slow or otherwise badly reachable nodes more likely to
|
||||||
|
succeed
|
||||||
|
|
||||||
|
|
||||||
|
Known issues
|
||||||
|
------------
|
||||||
|
|
||||||
|
* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
|
||||||
|
soft-bricked state due to bad blocks on the NAND flash which the NAND driver
|
||||||
|
before this release does not handle well.
|
||||||
|
(`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
|
||||||
|
|
||||||
|
* The integration of the BATMAN_V routing algorithm is incomplete.
|
||||||
|
|
||||||
|
- Mesh neighbors don't appear on the status page.
|
||||||
|
(`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
|
||||||
|
Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
|
||||||
|
account for the new throughput metric.
|
||||||
|
- Throughput values are not correctly acquired for different interface types.
|
||||||
|
(`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
|
||||||
|
This affects virtual interface types like bridges and VXLAN.
|
||||||
|
|
||||||
|
* Default TX power on many Ubiquiti devices is too high, correct offsets are
|
||||||
|
unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
|
||||||
|
|
||||||
|
Reducing the TX power in the Advanced Settings is recommended.
|
||||||
|
|
||||||
|
* In configurations without VXLAN, the MAC address of the WAN interface is
|
||||||
|
modified even when Mesh-on-WAN is disabled
|
||||||
|
(`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
|
||||||
|
|
||||||
|
This may lead to issues in environments where a fixed MAC address is expected
|
||||||
|
(like VMware when promiscuous mode is disallowed).
|
Loading…
Reference in New Issue
Block a user