Wow! That was fast! Thanks for the clarifications!
Which means, I'll have to go for the last option, bring the network down ,get the router, reinstall packages and ... smile... 
Or custom assemble or build your own ROM with the packages you need. (I'm guessing you have only have 3G connectivity to the router, so without those packages, no Internet access to the device.)
I'll get the the router and prepare it, I just need to understand first (need to go through the detailed changelog) what are the exact vulnerabilities (if any) I'll close with 18.06.2 and if it's worth/urgent enough.
No, the 3G is just configured for failover, no modem inserted in the USB socket for now. Accessing it it's actually worse, I only can get to it through openvpn, which obviously runs on it 
I am guilty of upgrading packages. I now want clean 18.06.2 install.
I checked my config files for 18.06.1. I need following files. My plan is do sysupgrade with clean config then copy over my old pertinent files that I need manually (not to restore entire backup config) OR hand edit the files to incorporate previous changes. What will happen to my opkg upgraded packages? Will this work or do I need factory install?
/etc/config files
dropbear
openvpn
firewall
wireless
ddns
dhcp
network
system
Files for openvpn
option ca '/etc/easy-rsa/keys/ca.crt'
option cert '/etc/easy-rsa/keys/myrouter.crt'
option key '/etc/easy-rsa/keys/myrouter.key'
option dh '/etc/easy-rsa/keys/dh2048.pem'
Your backup files look fine. Most of them will be backed up by default (no need to specify files in /etc/config).
You don’t need to re-flash the router if you’re already on 18.06.2. You can simply run firstboot on the command line. This will erase all files and restore the configuration to that of the original image in ROM. Then restore your backup and you should be good to go. You’ll need to use opkg install to add any packages that are not part of your original image (such as OpenVPN, unless you have a custom image that includes that and other packages of interest). Just don’t use the opkg upgrade for anything and you’ll be golden.
2 Likes
So when installing packages, how is one supposed to ensure that one gets a compatible version, rather than the latest package in the repo?
- Installing is OK
- Upgrading is where the issues arise
Let me point out the opkgscript.sh at OpenWrtScripts (github)
This script writes out the set of installed packages (to /etc/config/opkg.installed), then a different option can read that list back in after upgrading your firmware to restore your previous packages.
Not necessarily.
Assume that I install 18.06.2 and run it for a while. A couple of months later I decide that I really do need to be using TLS encryption with luci, so I install the luci-ssl package, but that package almost certainly won't match the version of the other luci packages that were included in the original installation. As pointed out upthread, it's a crapshoot whether such a version mismatch will cause problems or not.
I was stating a matter of fact.
In this case:
- Reset to defaults
- Restore config
- Re-install all additional packages
Works for me on versions 17 and 18.
Consider a brand new install of 18.06.2 (openwrt-18.06.2-x86-64-combined-ext4.img running in a VM).
root@OpenWrt:~# opkg list-installed | grep luci
liblucihttp - 2018-05-18-cb119ded-1
liblucihttp-lua - 2018-05-18-cb119ded-1
luci - git-19.020.41695-6f6641d-1
luci-app-firewall - git-19.020.41695-6f6641d-1
luci-base - git-19.020.41695-6f6641d-1
luci-lib-ip - git-19.020.41695-6f6641d-1
luci-lib-jsonc - git-19.020.41695-6f6641d-1
luci-lib-nixio - git-19.020.41695-6f6641d-1
luci-mod-admin-full - git-19.020.41695-6f6641d-1
luci-proto-ipv6 - git-19.020.41695-6f6641d-1
luci-proto-ppp - git-19.020.41695-6f6641d-1
luci-theme-bootstrap - git-19.020.41695-6f6641d-1
You can see that the installed luci packages are version 19.020.41695.
What version of luci-ssl is available in the repo?
root@OpenWrt:~# opkg update
(...)
root@OpenWrt:~# opkg list luci-ssl
luci-ssl - git-19.046.40869-30d9bc0-1 - LuCI with HTTPS support (mbedTLS as SSL backend)
If I install luci-ssl, I will get version 19.046.40869, which is a later version than the rest of the luci packages.
Generally, this will not be a problem within the same release.
Your concerns are being addressed in master with ABI revisioning.
1 Like
Indeed. I just wanted to point out that simply telling people not to update packages doesn't completely eliminate the issue.
I've updated the packages many timeswithout issues. Maybe I'm lucky and don't have any problematic package?
Is there a list of packages known to break stuff if they get updated?
EDIT: I'm running 18.06.2 right now but I've updated stuff on older releases too (always on releases, not on snapshot builds)
@fgimenezm - it seems that you have been lucky to date.
I cannot stress enough that opkg upgrade is a bad idea for all the reasons that have been discussed in this and other threads.
To my knowledge, there is no known list of 'safe' packages. There are no automatic compatibility checks, it would be purely manual. And there is nobody (to my knowledge) who is attempting to create a list like this (automated or manual). If one were to manually review the code changes for each package that might be upgraded, it may be possible to figure out if there are changes in the dependencies (and if so, those must also be reviewed) and/or kernel version to then guess at the compatibility. But that would be a lot of work and is incumbent on the person doing the upgrade to do themselves.
By now, you should know from reading these threads that there is a risk of seriously messing up your OpenWrt setup in unpredictable ways, some subtle, some major.
Although this cannot be guaranteed, the good news is that presumably failsafe should still work most of the time -- from there you can always 'firstboot' which will restore your router back to the ROM contents (i.e. the image most recently flashed onto the router).
Unless there is a very specific reason that you want/need to upgrade a given package, it would just seem like a lot of work to audit the code and/or unwise to blindly try the upgrade given the warnings here, unless you don't mind the risk (at which point, it is really a gamble). To each their own, of course. Good luck!
3 Likes
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.