I have this quick question - is OpenWrt 25.12.4 being prepared (for example - in order to fix the dirty frag Linux kernel vulnerability) ?
Should I wait for it (if it is coming out soon) or should I immediately upgrade to OpenWrt 25.12.3 and then wait for the .4 minor fix release?
Why am I asking this? Because with my router and custom configs, it usually takes me couple of hours to upgrade (my router requires reflashing on each update, like if this is a new OpenWRT installation, then I have custom configs to restore, custom optional modules to install...).
If the next version is coming out soon, I can just wait for it and skip the .3 release.
You should upgrade to .3 now, don't wait - and .4 once (whenever) that becomes available.
dirtyfrag just got a (pending) PR hopefully fixing the issue for kernel v6.18 (v6.12 is not completely fixed, yet) today, as mentioned by Ityns there are a few other new issues in musl, dnsmasq, dropbear, … with pending PRs as well.
As frollic implied, the actual impact of dirtyfrag on OpenWrt is rather limited, the vulnerable code itself is not installed by default - and in the context of OpenWrt being a non-interactive/ single-user system its impact is considerably lower than on other general purpose distributions. Yes, it needs to be fixed regardless, but the fixes still need to settle a bit, or we'd be up to .6 or .7 by the weekend (as mentioned, kernel v6.18.29 was only released yesterday, kernel v6.12.87 is not fully fixed, yet).
OP you need to start building with your packages and configs built in to your FW that way they are just there when you flash. It seems like a mine field at the start, but when you have the hang of it you will be just fine. You can do as I do and build your builds on WSL if you are using windows.
Maybe it's time to spend some time to understand how OpenWrt is updated then?
Use the attended sysupgrade with Luci, or build your custom firmware with the image builder to include your packages and configs.
Really dude "my upgrade" process needs a reboot.
But ok I look for and test stuff upfront with spare devices and in a virtual machine before I flash it on my fleet.
You might consider to build your new image from source. On WIndows, just use a VM, like "Virtual Box", with recent ubuntu server image (24.04) installed.
Then you have several possibilities to include your special configs into the image, i.e. using uci with "files/etc/uci-defaults", or even to (carefully) include your actual /etc/config/.... files.
Building from source is only needed if the user wants to
Apply patches
Switch configure options how a package is build
Can not wait a few hours till the image builder is provided.
And even if building from source it should be pointed out loud enough to then also build the image builder for local use. Especially if all the following steps are just
Which packages gets included
What confile files
And maybe if you really need and want then uci scripts for certain defaults.
I have this device and I wrote the upgrading section BTW
Upgrading need three steps, and can be done in about 4 min. So don't wait for a future .4 version and install 25.12.3.
@ramones For your case, writing a complete script with a firmware selector (https://firmware-selector.openwrt.org) that modifies the settings at boot is much easier than compiling the firmware yourself. I have been there.
You will need to get familiar with all the UCI settings and create all the files (in my case, even an openssh auth file). I think it's pretty easy now with the assistance of an LLM. Just try a few times, and you should be good. Then you just save your complete script and extra packages list somewhere, and copy/paste next time, save loads of time and pain.
Please don't forget to share you success story. Every time someone comes here, who got help from a LLM to configure OpenWrt, the user ended with a hole train wrack.
Remember, these markow-chain-generators-on-lsd are just copy pasting shit they find. And many content regarding OpenWrt on the web is either heavily outdated or just plain wrong or only half part true. We may get better results if the LLM is pointed only to "official" documentation and upstream linux and upstream package sources but still, we see so much wrong output of these tools its kind of funny. Especially if you compare it to the fact that the same LLM is able to provide kernel exploits.
And let me stress again the fact that people are shitting themself over a local privilege escalation on an embedded single user system which runs with uid=0.
If this issue would have been really that bad, lets say, like heartbleed or the java logging thingsies a few years back we would have heard so in the news. But no. Nothing! Yes, many poor old servers will be pwn3d, but that's a whole other topic and thread model! (Because to use this LOCAL privilege escalation you already need to have a foot in the door. A remote code execution is really bad, but a LPE is "just" meh.)
I can only say and ask for: Please get your shit together! The same goes for the dnsmasq issues. On OpenWrt this is no issue at all! I would be far more worried about all the devices which run OpenWrt (no not as home network devices but as embedded devices) which will NEVER! see an update! (I have seen over 15 year old OpenWrt frankenstein zombies in the german power market. Please don't ask; and be worried. These will never see an update. Same goes for other embedded firmware which runs heavily outdated an unsupported software AND are attached to public networks.)
