Bekijk de volledige versie : Any upgrades/patches on the horizon?

14-07-2008, 08:55
Are there any upgrades or package patches on the horizon (as per the last weeks news about DNS vulnerability
)? A friend of mine had to patch their Linksys router.

14-07-2008, 22:40
Oleg's firmware, which I'm using, uses dnsmasq. As you can see here (http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002147.html), the author of dnsmasq does not yet know what the vulnerability is so he can't very well fix it.

Version 2.43 is expected to contain some changes that will help with the general issues associated with the vulnerability. Whenever it becomes available, Oleg will be able to include it in a new firmware release. Would probably be a good idea too, since the current version is 2.22. On the other hand, those changes may be a bit too radical as Simon says there, so maybe Oleg shouldn't rush into anything, and he may have a good reason he has kept dnsmasq at 2.22 so far.

But if you install gcc on the router, you will probably be able to compile 2.43 and replace the firmware dnsmasq with your own in post-boot, if you so wish.

There's also a bit of hype involved. It's not THAT big an issue. Worst case scenario (world-wide attack using this vulnerability) would mean you try to go to google.com and you get a site that tries to push you a nasty bit of malware. But I use Firefox with NoScript (not to mention Linux), a combination with a very good track record in regards to security. So I couldn't care less if that happened.

And we should also remember that dnsmasq is a DNS forwarder, not a full DNS server, so basically it depends on whatever happens to upstream DNS servers (your ISP's). If those are patched and don't fall for this, there's not a big chance for poisoned entries to reach your router.

And if upstream is NOT patched, you're gonna get it anyway, because even if you kill dnsmasq, stop using DHCP and stop using the router as a DNS source, what are you gonna use instead on your PC? What DNS servers will you enter for your connection? How do you know those are safe?

I say let the hype alone and see to your business, the issue is not such a big deal and besides it's pretty much out of our hands right now. Wait and see.

17-07-2008, 16:21

There is now an updated version of dnsmasq available. As seen in the changelog (http://www.thekelleys.org.uk/dnsmasq/CHANGELOG) random sourceports are now used as well as an improved random number generator.

Oleg, would it be possible to relase an updated firmware? Prefferably also for the original wl500g... pretty please

20-07-2008, 17:07
I noted that 2.43 is available via ipkg. If you install that then you can symlink /opt/etc/dnsmasq.conf to /etc/dnsmasq.conf. Unfortunately it looks like there may be an issue with it and ipv6 which I also use so I got the following error...

dnsmasq: failed to create listening socket: Protocol not available

Openwrt still has an open ticket regarding dnsmasq and ipv6 here


23-07-2008, 18:27
I would love to have a newer working dnsmasq.
Some settings are not available in the old version.