Sunday, December 13, 2015

Which OpenWRT version to use?

If you want a relief from the never-ending stories about flaws in router firmware and the incompetence of vendors to deliver fixes, OpenWRT is about the only relatively sane option and I've been using it for almost a decade, since the White Russian release.

OpenWRT has a development branch or trunk which may be a bit experimental and a Stable branch. A Stable branch is released about once a year. Their documentation says that basically anything beyond the current stable release is unmaintained. Is it really so? Well, it's open source, so it should be easy to find out.

Attitude Adjustment, or OpenWRT 12.09, has seen its last commit in September 2014, so it's dead indeed.
Barrier Breaker, or OpenWRT 14.07, on the other hand has seen an update five days ago, so it's certainly moving. But is it still fresh and safe to use? I did a quick and simple check to find out.

There were twelve security vulnerabilities (possibly more, but these were easy to filter) fixed in Chaos Calmer (OpenWRT 15.05, the current stable release) during its lifetime. I grepped for them in the Barrier Breaker sources and here's the result:

Fixed in
Chaos Calmer
Fixed in
Barrier Breaker
CVE-2015-3193 12/03/15 12/07/15
CVE-2015-3194 12/03/15 12/07/15
CVE-2015-3195 12/03/15 12/07/15
CVE-2015-5291 10/18/15 Still vulnerable!
CVE-2015-3143 07/12/15 Still vulnerable!
CVE-2015-3144 07/12/15 Still vulnerable!
CVE-2015-3145 07/12/15 Still vulnerable!
CVE-2015-3148 07/12/15 Still vulnerable!
CVE-2015-3153 07/12/15 Still vulnerable!
CVE-2015-3236 07/12/15 Wasn't vulnerable
CVE-2015-3237 07/12/15 Wasn't vulnerable
CVE-2015-1793 07/09/15 07/09/15

There's a bunch of security issues lurking in the code unfixed.
It looks like an older release may still get some support in the first few months after it's been replaced, but it's not really wise to delay the update.