Package Update Check in V24.10.4

icehunter · November 28, 2025, 3:16pm

Hello,

it is possible to update following packages in the next firmware (> V24.10.4). It would be great:

wget-ssl1_1.24.5-r1
libgnutls_3.8.5-r1
libexp_2.7.1-r1
libiperf3_3.17.1-r4
iputils-arping_20240905-r1
iputils-ping_20240905-r1
iputils-tracepath_20240905-r1
glib2_2.82.0-r1
chat/ppp/ppp-mod-pppoe/ppp-mpd-pppol2tp/ppp-mod-pptp-2.5.1

Thank a lot.

brada4 · November 28, 2025, 3:18pm

You have to come to github with PR-s or as a minimum with issue report mentioning particular CVE affecting particular package.

icehunter · November 30, 2025, 7:08pm

Yes, see following list:

wget-ssl1_1.24.5-r1 (CVE-2024-10524 / CVE-2024-38428)
URL: https://www.cve.org/CVERecord?id=CVE-2024-10524
URL: https://www.cve.org/CVERecord?id=CVE-2024-38428
libgnutls_3.8.5-r1 (CVE-2025-32988):
URL: https://www.cve.org/CVERecord?id=CVE-2025-32988
libexpat_2.7.1-r1 (CVE-2025-59375):
URL: https://www.cve.org/CVERecord?id=CVE-2025-59375
iperf3_3.17.1-4 (CVE-2025-54350 / CVE-2025-54349):
URL: https://www.cve.org/CVERecord?id=CVE-2025-54350
URL: https://www.cve.org/CVERecord?id=CVE-2025-54349
libiperf3_3.17.1-r4 (CVE-2025-54350 / CVE-2025-54349):
URL: https://www.cve.org/CVERecord?id=CVE-2025-54350
URL: https://www.cve.org/CVERecord?id=CVE-2025-54349
iputils-arping_20240905-r1 (CVE-2025-48964):
URL: https://www.cve.org/CVERecord?id=CVE-2025-48964
iputils-ping_20240905-r1 (CVE-2025-48964):
URL: https://www.cve.org/CVERecord?id=CVE-2025-48964
iputils-tracepath_20240905-r1 (CVE-2025-48964):
URL: https://www.cve.org/CVERecord?id=CVE-2025-48964
glib2_2.82.0-r1 (CVE-2025-3360 / CVE-2025-4056):
URL: https://www.cve.org/CVERecord?id=CVE-2025-3360
URL: https://www.cve.org/CVERecord?id=CVE-2025-4056

frollic · November 30, 2025, 7:10pm

@brada4 didn't ask you a question, he told you how to proceed.

brada4 · November 30, 2025, 7:17pm

libiperf3_3.17.1-r4 (CVE-2025-54350 / CVE-2025-54349)
eg 24,10 is missing the fixes
/ https://github.com/openwrt/packages/tree/openwrt-24.10/net/iperf3
While snapshot has good version
/ https://github.com/openwrt/packages/blob/fd191c9b497d8d7929b415fe3b78243e90c1f8c4/net/iperf3/Makefile#L11

it is up to you to check whether 3 parches ( making r1 into r4 ) already cover the CVE-s, then open actionable issue reports. Then it is up to maintainer to either pull upstream patches or bump version.

Or you make a well formatted pull reques and force their hand to bump or patch with debian patch

EDIT: we are not sending you away, I am pretty sure among 20 there is at least one missing patch yielding a security issue in a distributed package.....