OpenWrt 18.06.9 - Final Service Release - 9 December 2020

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.9, r8077-7cbbab7246
 -----------------------------------------------------

The OpenWrt Project is a Linux operating system targeting embedded devices. It is a complete replacement for the vendor-supplied firmware of a wide range of wireless routers and non-network devices. See the Table of Hardware for supported devices. For more information about OpenWrt project organization, see the About OpenWrt pages.

Get OpenWrt Firmware at: https://downloads.openwrt.org/releases/

This release is the final one for OpenWrt 18.06. You should consider upgrading to a newer version (OpenWrt 19.07 or later)

We have a new mailing list for release announcements and other important changes: consider subscribing!

See important_changes_and_announcements for details.

The OpenWrt Community is proud to announce the ninth service release of the stable OpenWrt 18.06 series. OpenWrt 18.06.9 brings security fixes, as well as the usual device support fixes and core components update.

The main highlights of this service release are:

• Security Advisory 2020-12-09-2 - libuci import heap use after free (CVE-2020-28951)
• Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)
• Security Advisory 2020-05-06-2 - relayd out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11752)
• Security Advisory 2020-05-06-1 - umdns out-of-bounds reads of heap data and possible buffer overflow (CVE-2020-11750)
• libjson-c: fix out of bounds write vulnerability (CVE-2020-12762)
• mac80211: backport some fixes for the Kr00k vulnerability in WPA. It is not clear which wireless driver/firmware combinations could be vulnerable in OpenWrt. These backported patches harden mac80211 just in case.
• Other security fixes

Note: security fixes for most packages can also be applied by upgrading only the affected packages on running devices, without the need for a full firmware upgrade. This can be done with opkg update; opkg upgrade the_package_name or through the LuCI web interface.

Nevertheless, we encourage all users to upgrade their devices to OpenWrt 18.06.9 or a newer major release whenever possible.

• libubox: Fix regression that could cause procd to fail to start or restart some services. This is especially visible as it broke LuCI when upgrading from older 18.06.X releases (FS#3177)
• musl: fix locking synchronization bug
• kernel: backport out-of-memory fix for non-Ethernet devices
• firewall: fix TCP MSS clamping that was only applied on one direction (FS#3231)

• brcm63xx: fix BCM6348/BCM6358 hangs while booting (FS#2202)
• ipq40xx: fix essedma MAC hang by disabling TCP segmentation offload for IPv6
• ramips: fix USB detection on all rt305x devices
• mikrotik: add support for the new ath9k caldata encoding (LZO) found in newer hardware revisions
• Various fixes for ZyXEL Keenetic, ZyXEL NBG6616, TP-Link Archer C60 v1/v2, GL.iNet GL-AR750S, Embedded Wireless Dorin, Pirelli A226M-FWB, Arduino Yun

• Linux kernel updated from 4.9.214 to 4.9.243 and from 4.14.171 to 4.14.206
• mbedtls updated from 2.16.4 to 2.16.8
• wireguard updated from 0.0.20190601 to 1.0.20200611

For more details, please see the detailed Changelog.

Note that updates to the package feeds are available immediately to all minor releases of OpenWrt: there is no need to upgrade to a new OpenWrt image to install newer versions of a package. This applies to core OpenWrt packages as well as community-maintained packages.

As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters.

Have fun!

The OpenWrt Community