Trying to get Philips to update there Hue Hub!

Installing and Using OpenWrt
1

Hi people.

I have a Hue Bridge and have bin looking at the packages that are installed. Some of them seem to be very out of date. I would like to know if any one knows of any CVEs in any of the packages I will post the list at the end of this post. It is a old build of OpenWrt the Hue runs.

I know that not all old packages have bugs in, but I just would like to be able to get them to update the most inportant or risky ones.

EG TheHue is running kernel 4.4.60 and we are now on Kernel 4.4.295
Which packages should I get on to them about?

argtable 2.13-1
avahi-autoipd 0.6.31-12
base-files 157.2-r46875
boost 1.71.0-6
boost-atomic 1.71.0-6
boost-chrono 1.71.0-6
boost-date_time 1.71.0-6
boost-filesystem 1.71.0-6
boost-system 1.71.0-6
boost-thread 1.71.0-6
breakpad 0.0.0
busybox 1.25.1-2
ccronexpr 20180523-1
chacha20-simple 1.0-1
curl 7.72.0-2
curve25519-donna 1.0
dbus 1.9.14-1
dnsmasq 2.73-1
dropbear 2015.67-1
duktape 2.5.0-1
ed25519-donna 1.0
expat 2.1.0-3
firewall 2015-07-27
fluent-bit 1.6.8
fstools 2016-01-10-96415afecef35766332067f4205ef3b2c7561d21
grpc 2017-04-12-v1.2.4
iptables 1.4.21-1
jshn 2015-11-08-10429bccd0dc5d204635e110a7a8fae7b80d16cb
json-schema-validator 2.1.0
json_checker 2007-08-24
jsonfilter 2014-06-19-cdc760c58077f44fc40adbbe41e1556a67c1b9a9
kernel 4.4.60-1-661cd940c75f0b9fe060d1ead8916a7d
kmod-button-hotplug 4.4.60-3
kmod-gpio-button-hotplug 4.4.60-1
kmod-i2c-algo-bit 4.4.60-1
kmod-i2c-core 4.4.60-1
kmod-i2c-gpio 4.4.60-1
kmod-input-core 4.4.60-1
kmod-ip6tables 4.4.60-1
kmod-ipt-conntrack 4.4.60-1
kmod-ipt-core 4.4.60-1
kmod-ipt-nat 4.4.60-1
kmod-ipv6 4.4.60-1
kmod-lib-crc-ccitt 4.4.60-1
kmod-nf-conntrack 4.4.60-1
kmod-nf-conntrack6 4.4.60-1
kmod-nf-ipt 4.4.60-1
kmod-nf-ipt6 4.4.60-1
kmod-nf-nat 4.4.60-1
kmod-nf-nathelper 4.4.60-1
libatomic 5.2.0-1
libblobmsg-json 2015-11-08-10429bccd0dc5d204635e110a7a8fae7b80d16cb
libc 1.0.14-1
libcap 2.24-1
libcares 1.10.0-2
libconfig 1.4.9-1
libcurl 7.72.0-2
libdaemon 0.14-5
libevent2-core 2.1.8-2
libffi 3.3-2
libgcc 5.2.0-1
libip4tc 1.4.21-1
libip6tc 1.4.21-1
libjson-c 0.12-1
libjson-script 2015-11-08-10429bccd0dc5d204635e110a7a8fae7b80d16cb
libmbedtls 2.3.0-1
libmosquitto-ssl 2.0.10-dev-4
libmpack v1.0-1
libnl-tiny 0.1-4
libopenssl 1.1.1g-1
libopenssl-conf 1.1.1g-1
libpcre 8.40-1
libprotobuf-c 1.3.1-2
libpthread 1.0.14-1
librpc 2015-11-04-a921e3ded051746f9f7cd5e5a312fb6771716aac
librt 1.0.14-1
libsqlite3 3270200-1
libssp 5.2.0-1
libstdcpp 5.2.0-1
libubox 2015-11-08-10429bccd0dc5d204635e110a7a8fae7b80d16cb
libubus 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
libuci 2015-08-27.1-1
libugpio 0.0.6-1
libxtables 1.4.21-1
lmdb 0.9.29-1
logd 2015-11-22-c086167a0154745c677f8730a336ea9cf7d71031
lua 5.1.5-1
mdnsd 878.260.1
micropython 1.16-1
micropython-lib 1.9.3-1
mosquitto 2.0.10-dev-4
mosquitto-client-ssl 2.0.10-dev-4
mosquitto-ssl 2.0.10-dev-4
mtd 21
netifd 2015-12-16-245527193e90906451be35c2b8e972b8712ea6ab
nginx-nchan 1.2.6
nginx-ssl 1.17.7-2
nlohmann_json 3.9.1
openssl 1.1.1g-1
openssl-util 1.1.1g-1
polarssl-mini 1.3.4-1
poly1305-donna 1.0
procd 2015-10-29.1-d5fddd91b966424bb63e943e789704d52382cc18
protobuf 3.7.1-1
protobuf-lite 3.7.1-1
qca-legacy-uboot-bsb002 g2bbbfdfe-1
rapidjson 1.1.0
sha-1 unknown
srp 2.1.2-1
tlsdate 2016-11-23
tomcrypt 1.17
tommath 0.42.0
uboot-envtools 2014.10-2
ubox 2015-11-22-c086167a0154745c677f8730a336ea9cf7d71031
ubus 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
ubusd 2015-05-25-f361bfa5fcb2daadf3b160583ce665024f8d108e
uci 2015-08-27.1-1
usign 2015-05-08-cf8dcdb8a4e874c77f3e9a8e9b643e8c17b19131
utf8decoder 2010-06-25
zlib 1.2.8-1
2

You should ask this question directly to Philips or on forums related to the Philips Hue platform.

This is the OpenWrt forum which focuses on the official OpenWrt firmware. Variants/branches created by other entities are not part of the scope here -- please contact the relevant maintainers for those versions.

2 Likes
3

Hi mate I am well awair of what forum I am on. I have bin nocking around the openwrt community for years now. :blush:

I was just after pointers of what to say to them.

I am after an angle of attack as such!

4

You can lookup CVEs and map them to the core components in their customized versions, but keep in mind that not all vulnerabilities in the components are relevant, as it depends on how things are configured, what services are exposed, what additional code they have added and how it interacts with the various components and many other factors.

Best option is to make a stink about it on their forums and other public places (reddit, etc.) to hopefully get them to release updates and security audits. Pressure from an upwelling of customer concerns will be much more effective than you personally trying to request updates/fixes.

5

OK I posted on Reddit.

1 Like
6

This tread should at least be moved to the general question group.

Actually OpenWRT 21.02 runs on 5.4.

https://www.kernel.org/category/releases.html
But 4.4 isn’t EOL yet.

7

What actual Philips firmware version do you have to begin with?

8

Hi I have November 1, 2021
Software version 1948086000

9

Well it is still Philips problem anyway.

But I would expect a hardware version 3 before a major upgrade to the firmware will be released. Philips is a stock company so they need people to buy new stuff from time to time so their revenue continues to grow.

But you don’t need the hub if you don’t want to.
You can run the light with Apple home or equivalent Android thing instead.

10

They need to update curl and libcurl 7.72.0
August 19 2020 to curl and libcurl 7.80.0
November 10 2021 This update alone would fix 73 security problems. https://t.co/XrzmnwnERH
The is all so a update is out for openssl 1.1.1g-1 this would fix CVE-2020-1971) CVE-2021-23840) CVE-2021-23841) CVE-2021-3449) CVE-2021-3450) CVE-2021-3712) CVE-2021-3711)

12

Got a new update that showed up for me to day.

December 29, 2021
Software version 1949107040

Improved performance and reliability of the system

Looks like a more up-to-date build of openwrt.

argtable 2.13-1
avahi-autoipd 0.8-1
base-files 204.4
boost-atomic 1.71.0-6
boost-chrono 1.71.0-6
boost-date_time 1.71.0-6
boost-filesystem 1.71.0-6
boost-system 1.71.0-6
boost-thread 1.71.0-6
busybox 1.30.1-6
cJSON 1.7.14-3
ccronexpr 20180523-1
chacha20-simple 1.0-1
curl 7.66.0-3
curve25519-donna 1.0-28772f37a4b8a57ab9439b9e79b19f9abee686da
dnsmasq 2.80-16.3
dropbear 2019.78-2
duktape 2.5.0-1
ed25519-donna 1.0-8757bd4cd209cb032853ece0ce413f122eef212c
firewall 2019-11-22-8174814a-3
fluent-bit 1.8.7
fstools 2020-05-12-84269037-1
fwtool 2
grpc 2017-04-12-v1.2.4
iptables 1.8.3-1
jshn 2020-05-25-66195aee-1
json-schema-validator 2.1.0
json_checker 2007-08-24
jsonfilter 2018-02-04-c7e938d6-1
kernel 4.14.241-1-9e7cdf43b72fb90c151650560b7064a6
kmod-button-hotplug 4.14.241-3
kmod-gpio-button-hotplug 4.14.241-3
kmod-i2c-algo-bit 4.14.241-1
kmod-i2c-core 4.14.241-1
kmod-i2c-gpio 4.14.241-1
kmod-input-core 4.14.241-1
kmod-ip6tables 4.14.241-1
kmod-ipt-conntrack 4.14.241-1
kmod-ipt-core 4.14.241-1
kmod-ipt-nat 4.14.241-1
kmod-lib-crc-ccitt 4.14.241-1
kmod-nf-conntrack 4.14.241-1
kmod-nf-conntrack6 4.14.241-1
kmod-nf-ipt 4.14.241-1
kmod-nf-ipt6 4.14.241-1
kmod-nf-nat 4.14.241-1
kmod-nf-reject 4.14.241-1
kmod-nf-reject6 4.14.241-1
kmod-nls-base 4.14.241-1
kmod-usb-core 4.14.241-1
kmod-usb-ehci 4.14.241-1
kmod-usb2 4.14.241-1
libatomic1 7.5.0-2
libblobmsg-json 2020-05-25-66195aee-1
libc 1.1.24-2
libcap 2.27-1
libcares 1.15.0-4
libconfig11 1.7.2-2
libcurl4 7.66.0-3
libdaemon 0.14-5
libevent2-core7 2.1.11-1
libffi 3.3-2
libgcc1 7.5.0-2
libip4tc2 1.8.3-1
libip6tc2 1.8.3-1
libjson-c2 0.12.1-3.1
libjson-script 2020-05-25-66195aee-1
libmbedtls12 2.16.10-1
libmosquitto-ssl 2.0.10-dev-4
libmpack v1.0-1
libnl-tiny 0.1-5
libopenssl-conf 1.1.1k-1
Website: http://www.openssl.org/
libopenssl1.1 1.1.1k-1
Website: http://www.openssl.org/
libpcre 8.43-1
libprotobuf-c 1.3.1-2
libpthread 1.1.24-2
librt 1.1.24-2
libsqlite3-0 3310100-1
libstdcpp6 7.5.0-2
libubox20191228 2020-05-25-66195aee-1
libubus20210603 2021-07-01-38c7fdd8-1
libuci20130104 2019-09-01-415f9e48-4
libuclient20160123 2020-06-17-51e16ebf-1
libugpio 0.0.6-2
libwebsockets-openssl 3.1.0-1
libxtables12 1.8.3-1
lmdb 0.9.29-1
logd 2019-06-16-4df34a4d-4
lua 5.1.5-3
lzo 2.10-2
mdnsresponder 878.200.35-1
micropython 1.16-1
micropython-lib 1.9.3-1
mosquitto-client-ssl 2.0.10-dev-4
mosquitto-ssl 2.0.10-dev-4
mtd 24
musl-fts 1.2.7-1
netifd 2019-08-05-5e02f944-1
nginx-nchan 1.2.6
nginx-ssl 1.17.7-2
nlohmann_json 3.9.1
openssl-util 1.1.1k-1
openwrt-keyring 2021-02-20-49283916-2
poly1305-donna 1.0-dabffc6608eaca87d48c4ce9fc33a1e74a47e3f9
procd 2020-03-07-09b9bd82-1
protobuf 3.7.1-1
protobuf-lite 3.7.1-1
qca-legacy-uboot-bsb002 g229b2feaac-1
sha-1 unknown
srp 2.1.2-1
tlsdate 2016-11-23
tomcrypt 1.17-bbc52b9e1bf4b22ac4616e667b06d217c6ab004e
tommath 0.42.0-6f5bf561220a04962fbcd56db940085de4b53327
ubi-utils 2.1.1-1
uboot-envtools 2018.03-3.1
ubox 2019-06-16-4df34a4d-4
ubus 2021-07-01-38c7fdd8-1
ubusd 2021-07-01-38c7fdd8-1
uci 2019-09-01-415f9e48-4
uclient-fetch 2020-06-17-51e16ebf-1
usign 2020-05-23-f1f65026-1
ustream-ssl 2020-03-13-40b563b1-1
utf8decoder 2010-06-25
util-linux 2.34-1
zlib 1.2.11-3
1 Like
13

Software version 1949107040 now baste on OpenWrt v19.07.8

14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.