Major Security Patch Releases

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
drozycki
DD-WRT Novice


Joined: 29 Sep 2021
Posts: 1

PostPosted: Wed Sep 29, 2021 16:51    Post subject: Major Security Patch Releases Reply with quote
Hi all,

What is the best way to stay up to date with the latest security-critical releases of DD-WRT?

Ideally I could set up a keyword-based notification on the SVN RSS feed or the forum. I could also imagine that a process like "upgrade to the latest known working release for my router every N months" could be good enough. I'm trying to avoid a solution like "read the forum regularly" or "scan through commit messages".

How do you stay secure from known DD-WRT, WPA2, etc exploits in a timely and time-efficient manner?

Daniel
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Sep 29, 2021 18:41    Post subject: Reply with quote
Hmmm, if you become a target your best bit it to turn off the WiFi...if not your best call is use a complex long WiFi pass, Disable EPROL keys retake - enabled and pray...use WPA2 AES 128 or if your clients supports it WPA3...
There is nothing like secure WiFi...

For more security, use radius server, witch is more complex WiFi with remote authorisation server...

about security fixes..SVN track show it all...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Wed Oct 06, 2021 16:53    Post subject: Reply with quote
Alozaros wrote:
about security fixes..SVN track show it all...


Unless you are qualified enough to understand code security audits, I dont think a person who is asking how or what, is either qualified or that you yourself understand the implications.

But in reply to the OP, I can offer this simple advice.

Always use the most up to date releases possible that work for you dont wait N months, because you likely missed something important a fix or patch or whatever, BE proactive, dont open ports to the WAN without trusting the incoming data trough those ports.

DON'T enable crap old technologies like uPnP etc and do lock LAN clients down which cannot be updated from accessing the WAN.

On a side note ignore people who just tell you to read the source code when you clearly have no such skills otherwise you wouldn't ask, and because, if you did have those skill you wouldn't ask anyway, you would be telling us, right?

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)


Last edited by the-joker on Thu Oct 07, 2021 14:39; edited 1 time in total
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Wed Oct 06, 2021 19:28    Post subject: Reply with quote
the-joker wrote:
Alozaros wrote:
about security fixes..SVN track show it all...


Unless you are qualified enough to understand code security audits, I dont think a person who is asking how or what is either qualified or that you yourself understand the implications.

But in reply to the OP, I can offer this simple advice.

Always use the most up to date releases possible that work for you dont wait N months, because you likely missed something important a fix or patch or whatever, BE proactive, dont open ports to the WAN without trusting the incoming data trough those ports.

DON'T enable crap old technologies like UpnP etc and do lock LAN clients down which cannot be updated from accessing the WAN.
On a side note ignore people who just tell you to read the source code when you clearly have no such skills otherwise you wouldn't ask, and because if you did you wouldn't ask anyway, you would be telling us, right?


been touchy the-joker ?
Before you ever existed on this forum, back i the days there was a nice change log
presented by one forum member called KrypteX , it was a hell of a work for him and he had to stop it, so we, those with no skills to read the SVN line ware forced by the circumstances...find you own way...and get on with it...

So, may be you as more acknowledged, will flash us those 'incapable' to read the SVN and start a change log history from now on...to help the society ...may be ...or Im asking the wrong person...
So, bang, dang SVN is the only option...so far...and not knowing the things push us to find the way and learn Wink

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Wed Oct 06, 2021 19:47    Post subject: Reply with quote
But the fact is, you still don't understand what you're looking at. Surprised you didn't accuse him of being me Rolling Eyes And if you don't know who "the-joker" is... I'm not going to throw out any guesses or hints... but the person behind the screen over there ain't no n00b around here. I was considering back-logging KrypteX's old changelog posts, but decided not to update them and make them linked references / stickies again. Too many ungrateful ingrates on this forum.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Oct 07, 2021 12:06    Post subject: Reply with quote
Alozaros wrote:
been touchy the-joker ?

I apologize if what was said/written, made you feel that way. If that's what you took from my reply. I failed at whatever I was trying to convey. But I'm willing to try again and admit that maybe it wasn't the best way to put it.

Alozaros wrote:
there was a nice change log presented by one forum member called KrypteX

Changelogs should be meaningless when it comes to security patches. It makes not an iota of sense to advertise exactly by title in changelog or by comments in patch what it is the code does where security patches are concerned.

Not everyone is going to be clicking on any given commit and read the code, so why make it easy for people who would capitalize on this? Especially because users often stick to some old build, they admit it in public forums due to some bug that makes feature on their device unusable for their purposes.

Doesn't mean that you would or not get hacked in any eventuality. I hope you understand that going the obvious route, doesn't help matters. Its sad, I fully agree, but the world doesn't work any other way.

Alozaros wrote:
So, may be you as more acknowledged, will flash us those 'incapable' to read the SVN and start a change log history from now on...to help the society ...may be ...or Im asking the wrong person...

I'm not any kind of expert at code security practices in any case (there I said it), and if I were, these are things which would happen behind the scenes in direct contact with the respective developers to report and even help patch things up.

On another note, I see great value in what Kryptex did, in advertising changes that probably had bug fixes which people report in the forums, this is great, was great, and someone should indeed make sense of the cryptic merge titles Brainslayer does, but only to the extent of those where regular bug fixes are concerned.

Alozaros wrote:
So, bang, dang SVN is the only option...so far...and not knowing the things push us to find the way and learn Wink

The best way to learn is to be proactive, and the best way for us regular folk to be as safe as possible is to read security news, There are a few websites that post all kinds of security news about which company was breached and any user data leaks and why and what exploits are reported as in CVE ID's etc and so on.

This is how I know that the uPnP stack is flawed in pretty much anything under the sun, and know the best way is to not use it, its not strictly needed.

I also am aware of many other such issues, but only because I, every day look at security news. You and everyone who uses tech should do this like... Everyday.

But one thing here is to understand that everything is flawed and can be exploited for any reason good or bad, there is no system that is secure and free from such issues, because, imperfect people make mistakes when developing something and others are just terrible at coding in any secure manner, or lazy or are just unaware of the code they just posted is vulnerable, and not all of the people developing try to improve this aspect of their coding practices.

Another thing users should do is to update their firmware/software in a regular basis. Or even better not use unnecessary software to make our life that more convenient, convenience is an enemy of any security, even if security is mostly a pipe dream in the tech industry..

For instance, the kernels, libraries etc., can in themselves contain security patches, so its not just about one project it's about every single component used in that project, DD-WRT uses N amounts of such and Brainslayer does a fair job at updating those, well most of those.

So here is hoping everyone who agrees/disagrees or whatever with my views that at least update their stuff regularly to keep from stupid flaws being exploited by the drive by guy with a router in their pocket.

And lets hope such projects like DD-WRT, that breaths life and security fixes into all the ancient hardware the vendors ignored long ago and never really cared about, exist for all to use and benefit from at the great price of free, as in free beer.

So lets support DD-WRT in any way we can to ensure it never dies and continues to be relevant.

I'm doing what I can and have already made hundreds of fixes to the CSS and fixed some issues that bugged me that weren't really bugs in firmware where the themes are concerned. I also fixed my CPU showing the supported features, not a bug, but it bothered me.

Brainslayer has been really cooperative in merging every last change and helping me out with the more obscure parts of the source implementing ways to make the UI better for everyone to some extent. Rome wasn't built in a day.

I need help too, see https://svn.dd-wrt.com/ticket/7478

Also making new userCSS themes for the Forums/Trac/FTP site so users finally have some eye candy when posting/reading every DD-WRT related site except for wiki, see my signature.

And I'm out, PEACE!

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)


Last edited by the-joker on Sun Oct 09, 2022 17:25; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Oct 07, 2021 14:16    Post subject: Reply with quote
Quote:
So lets support DD-WRT in any way we can to ensure it never dies and continues to be relevant.

This could happen, but folks have issues with people who are trying to support and improve things around here. If only I could copy/paste the changelog updates; but alas, I cannot. Because of folks like Alozaros. Your personal issues with me do not support this community in any way and they cloud your judgement. Sorry if I was too blunt in my previous post, but it is what it is. I'll continue doing what I can for the community's benefit with where I am. If people don't see the benefits in anything I do, then that is because either 1) they didn't do it, or 2) they don't see the benefit because they have a personal problem. The latter is NOT my problem.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6408
Location: UK, London, just across the river..

PostPosted: Thu Oct 07, 2021 17:01    Post subject: Reply with quote
Moderator edit, please see forums rules.

the-joker wrote:
So, lets support DD-WRT in any way we can to ensure it never dies and continues to be relevant.


Long live BS & DDWRT Laughing Very Happy Cool yep we all love and appreciate BS work behind DDWRT as well all the community/forum as a base of knowledge

the-joker wrote:
Another thing users should do is to update their firmware/software in a regular basis. Or even better not use unnecessary software to make our life that more convenient, convenience is an enemy of any security, even if security is mostly a pipe dream in the tech industry..


Getting back on the subject, regarding security and fixes, bulletins...there is a good and bad side of the coin..exposing flaws/fixes does mean, all those that didn't update are still vulnerable...and some clever chaps can take advantage on it...for example companies i know of, have very tight security bulletins, not for everyone...

And yep, nowadays users must have a kind of internet hygiene, sadly vast majority don't, they understand internet only on layer 7 and that's all..but yep noting is safe and sound consider networks...
Im so glad, that BS does tons of security updates, probably DDWRT is one of the most security updated firmware around.
Sometimes, im inpatient to get to the new DNSmasq so, i use the new version via Entware Razz until BS implement it...but i know he is also adding a final touch to it..so, im happy with his work, a lot...!

And yep, we do need someone that can do the KrypteX change log..honestly, i was thinking to try something very amateur level like, but yep even that takes time and i don't have that much time and level to interpret the SVN to a useful noob level change log...
Also, i have to admit DDWRT forum/WIKI's are not very noob friendly, but learning anything in life is not noob friendly at all, you have to start from scratch...kind of...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Oct 07, 2021 18:37    Post subject: Reply with quote
Alozaros wrote:
And yep, we do need someone that can do the KrypteX change log..honestly, i was thinking to try something very amateur level like, but yep even that takes time and i don't have that much time and level to interpret the SVN to a useful noob level change log...
Also, i have to admit DDWRT forum/WIKI's are not very noob friendly, but learning anything in life is not noob friendly at all, you have to start from scratch...kind of...

Again, already done and current to the latest commits on KrypteX's changelogs, but I can't unlock the posts or do shit with them thanks to you and your ilk of angry mob with pitchforks.

The wikis get attention when people point out problems; at least I try to correct things and make them easier to read when someone specifically points things out.

Anyhow, let's face it: we both aren't always very helpful but we try. But I am not going to stop posting or stop participating - because that's the exact freedom you are speaking of and defending. People need to chime in publicly with their concerns or their perspective on a problem thread, regardless of my status on here. The fact that people don't says more about them than it does me. I ain't the one(s) crying... lol Peace!

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Oct 07, 2021 19:00    Post subject: Reply with quote
Well ... if you had not always closed all threads then you would not now have the problem that you can no longer post in closed threads as a user.

Incidentally, I find the last few weeks very pleasant in the forum.
For the most part, you can finally talk undisturbed.

And if I find bugs and can help somehow then I do that.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Oct 07, 2021 19:59    Post subject: Reply with quote
The closed threads I mention are not all ones I locked, they were already locked in some cases. And some things (like references list stickies) were locked so people wouldn't litter them with confusing bullshit. But I do agree, I was kind of hasty in some decisions and made bad choices, which I fully admitted to in conversation with BrainSlayer - and most all of those are ones I unlocked within 48 hours of my getting fired, lol.

And I have to agree, the past few weeks after I had CLEARLY stated that I was going to back off and let people do as they please without dropping the hammer have been rather unpleasant. For reference to what I mean (see bold text):
kernel-panic69 wrote:
Part of the information was removed from the 47377 build thread because some asshat wanted to attack my intelligence.  I didn't make a backup copy of the posts for reference, but my tired brain leans toward doing an 'nvram show | grep domain' or some such and manually setting a particular variable via script.  I honestly have not thought about it since the ignore wan dns option was introduced and I don't always have time to look through several megabytes of notes.  Sorry, not trying to put anyone off or refuse to be helpful, but my approach to things is leaning towards "hands off" to allow the community at large to participate more actively.

If you notice, the quoted post has been edited in this thread because it wasn't very professional of me to have said part of what I had said (but any part of it used in a proper web search brings up the thread, lol)

Moderator edit. snipped.

P.S. @ho1Aetoo: You have been much help around here, and even though we have had our differences, I can take your criticism just fine. Other people, not so much. Especially when they fall short of where in DD-WRT the actual answer I am alluding to is. No names, just initials ("dTX") lol. Not even gonna get started on deciphering debug messages from wlconf that got Chicken Little'd in a ticket. Psh.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Gameman Advanced Kid
DD-WRT Guru


Joined: 18 Nov 2012
Posts: 1158

PostPosted: Fri Oct 08, 2021 5:34    Post subject: Reply with quote
OP be like


_________________
For people who are new to the dd-wrt forums >> http://www.catb.org/~esr/faqs/smart-questions.html#rtfm

barryware wrote:
It takes a "community" to raise a router..


Internet Connection 1
Some Techicolor modem > Linksys WRT3200ACM

Internet connection 2
Ubiquiti Powerbeam Gen 2 > Netgear R9000

Official (but not really) dd-wrt General Discussion element/matrix chat

https://matrix.to/#/#dd-wrt-private-non-offical:matrix.org
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Oct 08, 2021 9:33    Post subject: Reply with quote
My apologies to the OP; I should observe a little more self-restraint, perhaps Cool Rolling Eyes
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
dTX
DD-WRT User


Joined: 28 Dec 2018
Posts: 83

PostPosted: Fri Oct 08, 2021 22:38    Post subject: Reply with quote
Moderator edit.
Please see forums rules.

_________________
Router: ASUS AC1900(RT-AC68U)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Oct 08, 2021 23:36    Post subject: Reply with quote
Moderator edit.
Please see forums rules

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum