Merge pull request #2503 from freifunk-gluon/import-release-notes
Import v2021.1.2 release notes, README / copyright updates
This commit is contained in:
commit
6ccd7c587b
2
LICENSE
2
LICENSE
@ -1,7 +1,7 @@
|
||||
The code of Project Gluon may be distributed under the following terms, unless
|
||||
noted otherwise in individual files or subtrees.
|
||||
|
||||
Copyright (c) 2013-2021, Project Gluon
|
||||
Copyright (c) 2013-2022, Project Gluon
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
|
@ -30,7 +30,7 @@ the future development of Gluon.
|
||||
|
||||
Please refrain from using the `master` branch for anything else but development purposes!
|
||||
Use the most recent release instead. You can list all releases by running `git tag`
|
||||
and switch to one by running `git checkout v2021.1 && make update`.
|
||||
and switch to one by running `git checkout v2021.1.2 && make update`.
|
||||
|
||||
If you're using the autoupdater, do not autoupdate nodes with anything but releases.
|
||||
If you upgrade using random master commits the nodes *might break* eventually.
|
||||
|
@ -20,7 +20,7 @@
|
||||
# -- Project information -----------------------------------------------------
|
||||
|
||||
project = 'Gluon'
|
||||
copyright = '2015-2021, Project Gluon'
|
||||
copyright = '2015-2022, Project Gluon'
|
||||
author = 'Project Gluon'
|
||||
|
||||
# The short X.Y version
|
||||
|
@ -5,6 +5,7 @@ Release Notes
|
||||
:caption: Gluon 2021.1
|
||||
:maxdepth: 2
|
||||
|
||||
v2021.1.2
|
||||
v2021.1.1
|
||||
v2021.1
|
||||
|
||||
|
131
docs/releases/v2021.1.2.rst
Normal file
131
docs/releases/v2021.1.2.rst
Normal file
@ -0,0 +1,131 @@
|
||||
Gluon 2021.1.2
|
||||
==============
|
||||
|
||||
Important notes
|
||||
---------------
|
||||
|
||||
This release fixes a **critical security vulnerability** in Gluon's
|
||||
autoupdater.
|
||||
|
||||
Upgrades to v2021.1 and later releases are only supported from releases v2018.2
|
||||
and later. Migration code for upgrades from older versions has been removed to
|
||||
simplify maintenance.
|
||||
|
||||
|
||||
Updates
|
||||
-------
|
||||
|
||||
- The Linux kernel was updated to version 4.14.275
|
||||
- The mac80211 wireless driver stack was updated to a version based on kernel
|
||||
4.19.237
|
||||
|
||||
Various minor package updates are not listed here and can be found in the commit
|
||||
log.
|
||||
|
||||
|
||||
Bugfixes
|
||||
--------
|
||||
|
||||
* **[SECURITY]** Autoupdater: Fix signature verification
|
||||
|
||||
A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
|
||||
allows forgery of cryptographic signatures. This vulnerability can be
|
||||
exploited to create a manifest accepted by the autoupdater without knowledge
|
||||
of the signers' private keys. By intercepting nodes' connections to the update
|
||||
server, such a manifest allows to distribute malicious firmware updates.
|
||||
|
||||
This is a **critical** vulnerability. All nodes with autoupdater must be
|
||||
updated. Requiring multiple signatures for an update does *not* mitigate the
|
||||
issue.
|
||||
|
||||
As a temporary workaround, the issue can be mitigated on individual nodes by
|
||||
disabling the autoupdater via config mode or using the following commands::
|
||||
|
||||
uci set autoupdater.settings.enabled=0
|
||||
uci commit autoupdater
|
||||
|
||||
A fixed firmware should be installed manually before enabling the autoupdater
|
||||
again.
|
||||
|
||||
See security advisory `GHSA-qhcg-9ffp-78pw
|
||||
<https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
|
||||
for further information on this vulnerability.
|
||||
|
||||
* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
|
||||
|
||||
The Config Mode was not validating the *Origin* header of POST requests.
|
||||
This allowed arbitrary websites to modify configuration (including SSH keys)
|
||||
on a Gluon node in Config Mode reachable from a user's browser by sending POST
|
||||
requests with form data to 192.168.1.1.
|
||||
|
||||
The impact of this issue is considered low, as nodes are only vulnerable while
|
||||
in Config Mode.
|
||||
|
||||
* Config Mode: Fix occasionally hanging page load after submitting the
|
||||
configuration wizard causing the reboot message and VPN key not to be
|
||||
displayed
|
||||
|
||||
* Config Mode (OSM): Update default OpenLayers source URL
|
||||
|
||||
The OSM feature of the Config Mode was broken when the default source URL was
|
||||
used for OpenLayers, as the old URL has become unavailable. The default was
|
||||
updated to a URL that should not become unavailable again.
|
||||
|
||||
* Config Mode (OSM): Fix error when using ``"`` character in attribution text
|
||||
|
||||
* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
|
||||
interfaces
|
||||
|
||||
Several improvements were made to the error handling of the
|
||||
*respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
|
||||
2021.1) was removed again.
|
||||
|
||||
* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
|
||||
|
||||
* Fix occasional build failure in "perl" package with high number of threads
|
||||
(``-j32`` or higher)
|
||||
|
||||
|
||||
Other improvements
|
||||
------------------
|
||||
|
||||
* Several improvements were made to the status page:
|
||||
|
||||
- WLAN channel display does not require the *respondd-module-airtime* package
|
||||
anymore
|
||||
- The "gateway nexthop" label now links to the status page of the nexthop node
|
||||
- The timeout to retrieve information from neighbour nodes was increased,
|
||||
making the display of the name
|
||||
of overloaded, slow or otherwise badly reachable nodes more likely to
|
||||
succeed
|
||||
|
||||
|
||||
Known issues
|
||||
------------
|
||||
|
||||
* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
|
||||
soft-bricked state due to bad blocks on the NAND flash which the NAND driver
|
||||
before this release does not handle well.
|
||||
(`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
|
||||
|
||||
* The integration of the BATMAN_V routing algorithm is incomplete.
|
||||
|
||||
- Mesh neighbors don't appear on the status page.
|
||||
(`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
|
||||
Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
|
||||
account for the new throughput metric.
|
||||
- Throughput values are not correctly acquired for different interface types.
|
||||
(`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
|
||||
This affects virtual interface types like bridges and VXLAN.
|
||||
|
||||
* Default TX power on many Ubiquiti devices is too high, correct offsets are
|
||||
unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
|
||||
|
||||
Reducing the TX power in the Advanced Settings is recommended.
|
||||
|
||||
* In configurations without VXLAN, the MAC address of the WAN interface is
|
||||
modified even when Mesh-on-WAN is disabled
|
||||
(`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
|
||||
|
||||
This may lead to issues in environments where a fixed MAC address is expected
|
||||
(like VMware when promiscuous mode is disallowed).
|
Loading…
Reference in New Issue
Block a user