| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| releases:17.01:notes-17.01.4 [2017/10/18 12:00] – highlights: Xen + wireguard zorun | releases:17.01:notes-17.01.4 [2018/02/17 16:18] – ↷ Links adapted because of a move operation |
|---|
| * Assorted platform fixes for //ar71xx//, //bcm53xx//, //ramips// and //x86// | * Assorted platform fixes for //ar71xx//, //bcm53xx//, //ramips// and //x86// |
| |
| While this release includes fixes for the [[https://www.krackattacks.com/|bugs in the WPA Protocol disclosed earlier this week]], these fixes do not fix the problem on the client-side. You still need to update **all** your client devices. As some client devices might never receive an update, an [[docs:user-guide:wifi_configuration#wpa_key_reinstallation_attack_workaround|optional AP-side workaround]] was introduced in hostapd to complicate these attacks, slowing them down. Please note that this does not fully protect you from them, especially when running older versions of wpa_supplicant vulnerable to CVE-2017-13086, which the workaround does not address. As this workaround can cause interoperability issues and reduced robustness of key negotiation, this workaround is disabled by default. | ===About the KRACK attack=== |
| | |
| | While the LEDE 17.01.4 release includes fixes for the [[https://www.krackattacks.com/|KRACK bugs in the WPA Protocol disclosed earlier this week]] in the router firmware, these fixes do not fix the problem on the client-side. |
| | **You still need to update all your client devices - computers, phones, tablets, cameras, refrigerators, thermostats, light bulbs, and any other device using Wi-Fi.** |
| | Since some client devices might never receive an update, //hostapd// contains an [[docs:user-guide:wifi:start#wpa_key_reinstallation_attack_workaround|optional AP-side workaround]] to complicate these attacks, slowing them down. Please note that this does not fully protect you from them, especially when running older versions of //wpa_supplicant// vulnerable to CVE-2017-13086, which the workaround does not address. As this workaround can cause interoperability issues and reduced robustness of key negotiation, this workaround is disabled by default. |
| |
| Due to the version bump of toolchain/gdb to 8.0.1, at least GCC 4.8 is now required to build LEDE. | Due to the version bump of toolchain/gdb to 8.0.1, at least GCC 4.8 is now required to build LEDE. |