OpenWrt 21.02.4 fourth service release

Release and security announcements
1

Hi,

The OpenWrt community is proud to announce the newest stable release of the OpenWrt 21.02 stable version series. It fixes security issues, improves device support, and brings a few bug fixes.

Download firmware images using the OpenWrt Firmware Selector:

Download firmware images directly from our download servers:

The OpenWrt 21.02 stable series is in security maintenance only mode. It is projected to go end of life on 6. April 2023 following the OpenWrt Security support guidelines. We encourage all users of the OpenWrt 21.02 stable series to upgrade to OpenWrt 22.03.
https://openwrt.org/docs/guide-developer/security#support_status

Main changes between OpenWrt 21.02.3 and OpenWrt 21.02.4:

Security fixes

  • wolfssl: Fix security problem (CVE-2022-34293, CVE-2022-38152, CVE-2022-38153 and CVE-2022-39173)
  • zlib: Fix security problem (CVE-2022-37434)
  • openssl: Fix security problem (CVE-2022-1292, CVE-2022-2068 and CVE-2022-2097)

Device support

  • Support for the following devices was added:
    • Wavlink WL-WN579X3
    • Sitecom WLR-4100 v1 002
    • Banana Pi M2 Berry
    • YunCore AX820/HWAP-AX820
    • MikroTik RouterBOARD hAP ac lite
    • MikroTik RouterBOARD mAP
  • Youku YK1: speed up spi frequency for YK-L1, split YK1 to YK-L1 and YK-L1c
  • ZBTLink ZBT-WG2626: add reset GPIO for PCIe port 1
  • ZBTLink ZBT-WE1026 5G: fix watchdog reset
  • Asus RT-AC57U: fix WPS button level
  • Archer VR2600: fix switch ports numbering
  • ZyXEL NBG-419N v2: Fix booting
  • Linksys MR8300: add WAN port
  • ramips: several fixes and improvements to mt7620 Ethernet
  • bcm53xx:
    • Disable GRO by default at kernel level
    • Enable & setup packet steering
  • ipq40xx: fix ar40xx driver
  • bcm4908:
    • Enable NVMEM U-Boot env data driver
    • Backport mtd parser for Broadcom's U-Boot partition
    • fix -EPROBE_DEFER support in bcm4908_enet

Various fixes and improvements

  • kernel:
    • Fix IPv6 flow offloading (FS#3373)
    • Backport LEDs driver for BCMBCA devices
    • Backport mtd dynamic partition patch
    • Fix possible mtd NULL pointer dereference
  • mac80211: fix QCA9561 PA bias
  • mac80211: disable ft-over-ds by default
  • mt76: backport fix encap offload ethernet type check
  • hostapd fixes and improvements:
    • Add support for enabling link measurements
    • Fix uninitialized pointer
  • zlib: backport null dereference fix
  • build system:
    • Switch from xxd tool to xxdi.pl script
    • Check TLS certificates by default when downloading over HTTPS
    • feeds: use git-src-full to allow Git versioning
    • Fix build warnings with grep-3.8
    • Add compatibility with Python 3.11

Core components

  • Update Linux kernel from 5.4.188 to 5.4.215
  • Update openssl from 1.1.1n to 1.1.1q
  • Update wolfssl from 5.2.0 to 5.5.1
  • Update wireless-regdb from 2021.08.28 to 2022.08.12
  • Update intel-microcode from 20210608 to 20220809
  • Update exfat from 5.12.3 to 5.19.1
  • Update iwinfo from 2021-04-30 to 2022-04-26

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/21.02/notes-21.02.4

In particular, make sure to read the regressions and known issues before upgrading:
https://openwrt.org/releases/21.02/notes-21.02.4#known_issues

For a detailed list of all changes since 21.02.3, refer to
https://openwrt.org/releases/21.02/changelog-21.02.4

To download the 21.02.4 images, navigate to:
https://downloads.openwrt.org/releases/21.02.4/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org/?version=21.02.4

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community

To stay informed of new OpenWrt releases and security advisories, there are new channels available:

3 Likes
3

FYI, the second URL has a typo (both this forum post and the source wiki page.

https://downloads.openwrt.org/releases/21.04.4/targets/
                                          ^^
4

There was no reason to think that it was fixed, but just a note here to mention that the cool "reboot and get a new WAN IP most of the time" problem (certain network interface commands can also do it) is still around for those susceptible to the problem (some aren't, for whatever reason).

This problem began in v21. Unsure if it's around in v22 but I would expect so.

5

I take it that you are referring to routers, such as tp-link Archer C2600?

6

I'd have to delve back into early v21 threads to recall now if certain routers were exempt, but I don't recall that being the case and it's difficult to know that one way or another without a lot more data. It doesn't help clarifying it when there are numerous ISPs, which are wrapped up in this

I think it's more likely that the given ISP creates a condition (relative to DHCP) which encourages the problem (starting with v21 and perhaps continuing in v22) regardless of router model.

7

Good to know. Thanks.

8

Hello.. I would like to inform that the package for curl and libcurl4 is still using the broken version 7.83.1-2.1 (due to the security update for wolfssl) on majority of architecture builds. See links below for mipsel_24kc.

https://downloads.openwrt.org/releases/21.02.4/packages/mipsel_24kc/packages/libcurl4_7.83.1-2.1_mipsel_24kc.ipk
https://downloads.openwrt.org/releases/21.02.4/packages/mipsel_24kc/packages/curl_7.83.1-2.1_mipsel_24kc.ipk

With those versions, curl won't work for HTTPS/SSL URLs. So in short, updating via AUC or downloading the update firmware breaks curl capability to open HTTPS links.

I've actually posted this here: Mipsel_24kc release (21.02.3 and 21.02.4) doesn't have the updated curl and libcurl4

2 Likes
9

Thank you for the note.

To put this into context: curl is not part of the default OpenWrt installation image. The mentioned broken curl package should only affect setups where curl is installed from opkg packages or as a dependency from other packages.

10

Thanks for the info, but who should we raise this to? Because a lot of known/popular packages like https-dns-proxy uses this and adblock uses it as the default downloader. So upon setup this will cause confusion as it will not work initially as intended.

11

The official package bug tracker is on GitHub: https://github.com/openwrt/packages/issues
The bug reporting process is described here: https://openwrt.org/bugs

@jow Could you please mention this bug as known issue for 21.02.4? https://openwrt.org/releases/21.02/notes-21.02.4#known_issues

1 Like
12

Thanks @odrt .. there was one related to this but was closed and it was mentioned the fix was already committed. I'll just create a new new issue.

Thanks again!

1 Like
13

After upgrading my Xiaomi Mi Router 4A Gigabit Edition from 21.02.3 to 21.02.4, I'm getting this kernel error on bootup:

Thu Oct 13 22:55:38 2022 kern.notice kernel: [    0.614797] 8 fixed-partitions partitions found on MTD device spi0.0
Thu Oct 13 22:55:38 2022 kern.err kernel: [    0.621190] OF: Bad cell count for /palmbus@1E000000/spi@b00/flash@0/partitions
Thu Oct 13 22:55:38 2022 kern.err kernel: [    0.628507] OF: Bad cell count for /palmbus@1E000000/spi@b00/flash@0/partitions
Thu Oct 13 22:55:38 2022 kern.notice kernel: [    0.636064] Creating 8 MTD partitions on "spi0.0":

The router seems working fine. Is this error something to worry about?

14

This issue is already open in the bug tracker:

15

Should I be worried if my device is working fine even with those errors?

16

If this would be my router I would dive into the source code of the program that throws the error message and find out, what the message is about in detail.

It’s up to you if you worry about this and what you do about it.

If you don’t like to care about such details at all: that’s what the OEM firmware is for. If it breaks you ask manufacturer’s support. With OpenWrt you can do a lot more but you need to support things by yourself.

17

21.02.5 has been released.

2 Likes