The OpenWrt Community is proud to announce the ninth service release of the stable OpenWrt 18.06 series. OpenWrt 18.06.9 brings security fixes, as well as the usual device support fixes and core components update.
End of support for OpenWrt 18.06: This release is the final one for OpenWrt 18.06. You should consider upgrading to a newer version (OpenWrt 19.07 or later)
The main highlights of this service release are:
- Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951
- Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)
- Security Advisory 2020-05-06-2 - relayd out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11752)
- Security Advisory 2020-05-06-1 - umdns out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11750)
- ibjson-c: fix out of bounds write vulnerability (CVE-2020-12762)
- mac80211: backport some fixes for the Kr00k vulnerability in WPA. It is not clear which wireless driver/firmware combinations could be vulnerable in OpenWrt. These backported patches harden mac80211 just in case.
- Other security fixes
Note: security fixes for most packages can also be applied by upgrading only the affected packages on running devices, without the need for a full firmware upgrade. This can be done with
opkg update; opkg upgrade the_package_name or through the LuCI web interface.
Nevertheless, we encourage all users to upgrade their devices to OpenWrt 18.06.9 or a newer major release whenever possible.
- libubox: Fix regression that could cause procd to fail to start or restart some services. This is especially visible as it broke LuCI when upgrading from older 18.06.X releases
- musl: fix locking synchronization bug
- kernel: backport out-of-memory fix for non-Ethernet devices
- firewall: fix TCP MSS clamping that was only applied on one direction
- brcm63xx: fix BCM6348/BCM6358 hangs while booting
- ipq40xx: fix essedma MAC hang by disabling TCP segmentation offload for IPv6
- ramips: fix USB detection on all rt305x devices
- mikrotik: add support for the new ath9k caldata encoding (LZO) found in newer hardware revisions
- Various fixes for ZyXEL Keenetic, ZyXEL NBG6616, TP-Link Archer C60 v1/v2, GL.iNet GL-AR750S, Embedded Wireless Dorin, Pirelli A226M-FWB, Arduino Yun
Core components update
- Linux kernel updated from 4.9.214 to 4.9.243 and from 4.14.171 to 4.14.206
- mbedtls updated from 2.16.4 to 2.16.8
- wireguard updated from 0.0.20190601 to 1.0.20200611
To download a OpenWrt 18.06.9 firmware image for your device, navigate directly in the list of firmware images.
Finally, we have a new mailing list for important announcements and security advisories. Announcements should also be posted to this forum section.
As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters.
The OpenWrt Community