Gluon 2017.1.3

The LEDE base of Gluon has been updated to v17.01.3, including various updates, stability improvements and security fixes. This includes some critical fixes to core packages like dnsmasq (see below for details); upgrading all Gluon nodes to v2017.1.3 is highly recommended.

Bugfixes

  • dnsmasq has been upgraded to v2.78, fixing CVE-2017-13704, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495 and 2017-CVE-14496

    While many of the most severe (remote code execution) vulnarabilities are in the DHCP component of dnsmasq, which is not active on a Gluon node unless in Config Mode, CVE-2017-14491 does affect us. An attacker can cause memory corruption and possibly remote code execution by deploying a malicious DNS server and tricking a node into querying this server.

  • The Linux kernel has been upgraded to v4.4.89

  • Multiple security issues have been fixed in packages that are not usually part of the Gluon build, including tcpdump, curl and mbedtls

    Please refer to the LEDE commit log for details.

  • Filtering of multicast packets between the mesh and the local-node interface has been fixed (#1230)

    This issue was causing gluon-radvd to send a router advertisement to the local clients whenever a router solicitation from the mesh was received. In busy meshes, it would continuously send router advertisements every 3 seconds.

  • Reject autoupdater mirror URLs not starting with http:// during build (9ab93992d1fc)

  • Fix MAC addresses on TP-Link TL-WR1043ND v4 when installing Gluon over newer stock firmwares (#1223)

Known issues

  • Default TX power on many Ubiquiti devices is too high, correct offsets are unknown (#94)

    Reducing the TX power in the Advanced Settings is recommended.

  • The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled (#496)

    This may lead to issues in environments where a fixed MAC address is expected (like VMware when promicious mode is disallowed).

  • Inconsistent respondd API (#522)

    The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.

  • Sporadic segfaults of busybox (ash) when running shell scripts on ar71xx (#1157)

    The workaround added in Gluon v2017.1.1 has greatly reduced the frequency of segfaults, but did not make them disappear completely.