Updating OpenWRT due to security issues

5

OpenWRT, like any other operating system, suffers from security issues. OpenSSL, for example, appears to have new bugs every month.

I use my router as the termination point for openvpn (one of the few external points that terminate on the router, rather than forward to another machine). This has package dependencies (eg on openssl).

Are there patches available? I can run

opkg update
opkg list-upgradable

and get zero results. I'm assuming this is because the default repo's are static and don't get updated.

So, finally, the question:

Are updates available for OpenWRT, without needing to reflash the whole machine to the latest/greatest (beta?) version?

Stephen Harris

Posted 2016-09-05T23:28:25.113

Reputation: 198

Answers

3

Updating OpenWrt requires reflashing each time there is an update to apply, except in the case where you have deliberately placed the root filesystem on external storage (e.g. USB drive).

However, even in this configuration, the maintainers recommend you not do it:

Recommended by extroot maintainer

I recommend that you DO NOT try to do upgrades using opkgupgrade. You will likely end up with an inconsistent state and bricked router that way:

  • The main reason is that the uClibc ABI (Application Binary Interface) is unstable and changes from revision to revision, so binaries for one version of uClibc may be incompatible with versions from another.
  • Another problem that can arise is if you try to upgrade the kernel packages, then flash and reboot, but your operation is interrupted in any way, then you will have a kernel and module mismatch and likely a brick.
  • Finally, if you upgrade all packages but the kernel and the kernel modules, some packages like iptables will be broken.

Michael Hampton

Posted 2016-09-05T23:28:25.113

Reputation: 11 744

OK, thanks. The "security" side of me isn't happy and I may need to find an alternative firmware. Ah well. – Stephen Harris – 2016-09-06T18:12:14.803

There is no alternative firmware that will do what you seem to want. This is just a fact of life for embedded devices. – Michael Hampton – 2016-09-06T20:09:51.133

LEDE seems to do that. Though, I never used it myself. – Konrad – 2017-07-13T16:52:22.700

@MichaelHampton This is incorrect. OpenWrt uses the JFFS2 filesystem which allows modifying the root filesystem indirectly, even without an external USB device. Data can never be truly deleted, so each write (whether creating or deleting files) fills it up a little more. – forest – 2018-04-14T02:41:08.910

@forest that's entirely true, but it's also entirely irrelevant. – Michael Hampton – 2018-04-14T02:52:06.363

How is it irrelevant? Your statement that OpenWrt requires reflashing for every update is incorrect. – forest – 2018-04-14T02:54:31.503

Asked: 2016-09-05T23:28:25.113

Viewed: 1 128 times

Active: 2016-09-06T00:25:07.297