OpenWrt-19.04 missing CVE fixes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenWrt-19.04 missing CVE fixes

992 Views
john_beckett
Contributor II

From the resolution to https://community.nxp.com/t5/Layerscape/LS1021A-TWR-UDP-packet-loss/m-p/1093227 it was recommended that for the Layerscape I use OpenWrt-19.04 from 

https://source.codeaurora.org/external/qoriq/qoriq-components/openwrt

There do not seem to be any new commits which resolve issues on openwrt's security advisories:
https://openwrt.org/docs/guide-developer/security

Taking the first issue as an example:
https://openwrt.org/advisory/2020-05-06-2 updates package/network/services/relayd/Makefile to take commit "f4d759be54ceb37714e9a6ca320d5b50c95e9ce9" instead of "ad0b25ad74345d367c62311e14b279f5ccb8ef13" for the relayd source.

From looking at the code I am evaluating it is still using the vulnerable version.

Taking a look at openwrt-19.07 the LSDK commits do not at first glance appear to have been upstreamed.

Is there a variant of open wrt that has the latest LSDK support and is actively maintained i.e.  latest bugfixes / security patching?

0 Kudos
Reply
3 Replies

981 Views
yipingwang
NXP TechSupport
NXP TechSupport

We have a new version OpenWrt will be released on September 25th, I have uploaded the internal version in the following link, you could have reference.

https://drive.google.com/file/d/1l1opSntkpVxssKFUKbXvabrEN-HB1AN0/view?usp=sharing

0 Kudos
Reply

974 Views
john_beckett
Contributor II

Hi @yipingwang ,

Thanks for replying.

I was asking as I don't understand the release schedule.  For example what is gating the 25 September release (open wrt release cycle / annual NXP release cycle) and how do I know that I am going to have the latest bug / security fixes available?

Would moving to a different recommended layerscape distribution provide more timely fixes  (e.g. debian)?

John

0 Kudos
Reply

966 Views
yipingwang
NXP TechSupport
NXP TechSupport

Hello John,

NXP released OpenWrt is ready for customers on September 25th. 

I have uploaded this version OpenWrt to you again, which includes git commit information.

https://drive.google.com/file/d/1uxTNZzrc6Fu-wjaEL5arYe_QjSRnOp-Q/view?usp=sharing

After typing "git log" command, you will find security related patches mentioned by you have been applied in this version OpenWrt.

Please refer to the attached git commit information.

Thanks,

Yiping

0 Kudos
Reply