Security Issues / Bugs, when to sysupgrade OpenWrt or upgrade Packages?

Hi there

I have read, that it is unwise to upgrade Software-Packages, if you d'ont have a good reason (here, here, because if you upgrade, there is the risk (worst case) to brick your Router.

I use the Fritzbox 4040, in LuCI it is indicated, that there are 27 Packages upgradable.

How can I find out, if one of these Upgrades are importent for security reasons? Is there a Website, on which it is indicated, if an upgrade solves a critigal bug / a security issue?

Kind regards,
Ische

1 Like

EDIT: @tmomas post below gives a far better answer.

My personal take is that for critical bugs, the core developers typically roll a new point release pretty quickly, and then reflashing that new version ASAP is highly recommended.
For non-core self-installed packages, unfortunately we are more or less on our own, that is you would need to monitor the packages repository yourself and decide whether you consider changes to be essential. Opkg, OpenWrt's package manager is not as fully teatured as the other big managers as it needs to work with comparatively little memory. So it really is missing some features on purpose you would need for using it as a full featured tool to update an OpenWrt installation. It is fine for installing additional packages and mostly fine for updating packages with restricted security updates, say, if a package got a fix that does not involve and dependent upon updates other packages.

3 Likes

See https://openwrt.org/advisory/start for OpenWrt security advisories.

6 Likes

This post is the first time I have seen this page: https://openwrt.org/advisory/start

My reactions are:

  1. Wow! This is fantastic! As it is, OpenWrt already provides very frequent point releases (every few months) that fix security issues known to date. These intermediate package fixes are released so quickly its practically "real time". Most OEMs provide a firmware update to fix security issues every few years, and then only if they are bothering to still support their hardware at all.

  2. Huh? Why haven't I seen this before? I skim the forum, commits to master, etc. every few days. I looked around the home page for OpenWrt and couldn't find it. Clicked on the security link under "Why Use OpenWrt" - same.

No doubt there is a way to get there from here and I'm just oblivious, but this is something to be really proud of.

FWIW, I think this should be a link on the OpenWrt home page, front and center within the "Security:" description under "Why Use OpenWrt?", or at the very least somewhere in the detailed "Security" reasons to use, one more click away from the home page.

1 Like

The page was there, but not linked anywhere. The only way you could find the advisories page was by using the OpenWrt wiki search (or via searchengine of your choice).
grafik

I have now added a link on https://openwrt.org/reasons_to_use_openwrt#security pointing to https://openwrt.org/advisory/start

Edit: Link added to https://openwrt.org/start#why_use_openwrt too.

4 Likes

Looks perfect now tmomas. Thank you for adding the linkage.

Thanks guys, for your advice and insight!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.