gluon/docs/releases/v2021.1.2.rst

132 lines
4.8 KiB
ReStructuredText

Gluon 2021.1.2 (unreleased)
===========================
Important notes
---------------
This release fixes a **critical security vulnerability** in Gluon's
autoupdater.
Upgrades to v2021.1 and later releases are only supported from releases v2018.2
and later. Migration code for upgrades from older versions has been removed to
simplify maintenance.
Updates
-------
- The Linux kernel was updated to version 4.14.275
- The mac80211 wireless driver stack was updated to a version based on kernel
4.19.237
Various minor package updates are not listed here and can be found in the commit
log.
Bugfixes
--------
* **[SECURITY]** Autoupdater: Fix signature verification
A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
allows forgery of cryptographic signatures. This vulnerability can be
exploited to create a manifest accepted by the autoupdater without knowledge
of the signers' private keys. By intercepting nodes' connections to the update
server, such a manifest allows to distribute malicious firmware updates.
This is a **critical** vulnerability. All nodes with autoupdater must be
updated. Requiring multiple signatures for an update does *not* mitigate the
issue.
As a temporary workaround, the issue can be mitigated on individual nodes by
disabling the autoupdater via config mode or using the following commands::
uci set autoupdater.settings.enabled=0
uci commit autoupdater
A fixed firmware should be installed manually before enabling the autoupdater
again.
See security advisory `GHSA-qhcg-9ffp-78pw
<https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
for further information on this vulnerability.
* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
The Config Mode was not validating the *Origin* header of POST requests.
This allowed arbitrary websites to modify configuration (including SSH keys)
on a Gluon node in Config Mode reachable from a user's browser by sending POST
requests with form data to 192.168.1.1.
The impact of this issue is considered low, as nodes are only vulnerable while
in Config Mode.
* Config Mode: Fix occasionally hanging page load after submitting the
configuration wizard causing the reboot message and VPN key not to be
displayed
* Config Mode (OSM): Update default OpenLayers source URL
The OSM feature of the Config Mode was broken when the default source URL was
used for OpenLayers, as the old URL has become unavailable. The default was
updated to a URL that should not become unavailable again.
* Config Mode (OSM): Fix error when using ``"`` character in attribution text
* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
interfaces
Several improvements were made to the error handling of the
*respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
2021.1) was removed again.
* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
* Fix occasional build failure in "perl" package with high number of threads
(``-j32`` or higher)
Other improvements
------------------
* Several improvements were made to the status page:
- WLAN channel display does not require the *respondd-module-airtime* package
anymore
- The "gateway nexthop" label now links to the status page of the nexthop node
- The timeout to retrieve information from neighbour nodes was increased,
making the display of the name
of overloaded, slow or otherwise badly reachable nodes more likely to
succeed
Known issues
------------
* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
soft-bricked state due to bad blocks on the NAND flash which the NAND driver
before this release does not handle well.
(`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
* The integration of the BATMAN_V routing algorithm is incomplete.
- Mesh neighbors don't appear on the status page.
(`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
account for the new throughput metric.
- Throughput values are not correctly acquired for different interface types.
(`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
This affects virtual interface types like bridges and VXLAN.
* Default TX power on many Ubiquiti devices is too high, correct offsets are
unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
Reducing the TX power in the Advanced Settings is recommended.
* In configurations without VXLAN, the MAC address of the WAN interface is
modified even when Mesh-on-WAN is disabled
(`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
This may lead to issues in environments where a fixed MAC address is expected
(like VMware when promiscuous mode is disallowed).