OpenWrt 23.05.3 - Service Release - 25. March 2024

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.3, r23809-234f1a2efa
 -----------------------------------------------------

The OpenWrt community is proud to announce the newest stable release of the OpenWrt 23.05 stable series.

Download firmware images via the Firmware Selector or directly from our download servers:

• Download firmware image for your device (firmware selector)
• Download firmware images directly from OpenWrt download servers

An upgrade from OpenWrt 22.03 to OpenWrt 23.05 is supported in many cases with the help of the sysupgrade utility which will also attempt to preserve the configuration. A configuration backup is advised nonetheless when upgrading to OpenWrt 23.05. (see “Upgrading” below).

The OpenWrt Project is a Linux operating system targeting embedded devices. It is a complete replacement for the vendor-supplied firmware of a wide range of wireless routers and non-network devices. See the Table of Hardware for supported devices. For more information about OpenWrt project organization, see the About OpenWrt pages.

Do you want to be informed about important changes such as new releases and security fixes?

We have a new mailing list for this, as well as RSS options: see Important changes and announcements.

Only the main changes are listed below. See changelog-23.05.3 for the full changelog.

• CVE-2023-36328: dropbear: Integer Overflow vulnerability in mp_grow in libtommath
• CVE-2023-48795: dropbear: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted
• CVE-2023-50868: dnsmasq: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack

• Support for the following devices was added:
  • ath79: UniFi UK-Ultra
  • mediatek: Acelink EW-7886CAX
  • mediatek: ASUS RT-AX59U
  • mediatek: ASUS TUF AX6000
  • mediatek: Buffalo WSR-3200AX4S
  • mediatek: Cetron CT3003
  • mediatek: Confiabits MT7981
  • mediatek: Cudy RE3000 v1
  • mediatek: D-Link EAGLE PRO AI M32
  • mediatek: GL.iNet GL-MT6000
  • mediatek: JCG Q30 PRO
  • mediatek: Routerich AX3000
  • mediatek: TP-Link EAP225v5
  • mediatek: Ubiquiti UniFi 6 Plus
  • mediatek: Zbtlink ZBT-Z8102AX
  • mediatek: ZyXEL EX5700 (Telenor)
  • ramips: Cudy WR1300 v3
  • ramips: D-Link COVR-X1860 A1
  • ramips: Rostelecom RT-FE-1A
  • ramips: Rostelecom RT-FL-1 (Serсomm RT-FL-1)
  • ramips: Rostelecom S1010 (Serсomm S1010.RT)
  • ramips: TP-Link EX220 v1
  • ramips: YunCore G720
  • ramips: Z-ROUTER ZR-2660
• ath79: Nanostation Loco M5 XW: Fix read only jffs2 partition
• ath79: TP-Link TL-WDR3600 and TL-WDR4300: Fix spurious reboot hangs
• ath79: ubnt-bullet-m-xw: fix Ethernet PHY traffic
• ipq807x: edgecore EAP102: fix lan/wan
• kirkwood: Ctera C200 V1: fix ubi part name
• lantiq: xway: disable SMP: fix boot on some Danube boards and NAT performance
• mediatek: MT7981/MT7986: fix Ethernet rx hang issue
• meidatek: Mercusys MR90X v1: fix eeprom loading
• mpc85xx: Extreme Networks WS-AP3825i: increase available RAM
• mvebu: IEI-World Puzzle M90x: fix RTC
• ramips: improve mtk_eth_soc resets
• ramips: rt305x: Use default uart in lzma-loader
• ramips: Sercomm NA502: Fix bootup problem
• ramips: Unielec u7621-01: Correct the PCIe port number
• realtek: d-link dgs-1210-10p: improve sfp support
• realtek: Netgear GS110TPP: fix OEM install
• rockchip: Orange Pi R1 Plus LTS: improve Ethernet stability

• mt76: Add mt7922 firmware
• mwlwifi: Add support for WPA3
• dropbear: Increase scp transfer speed
• kernel: fix bridge proxyarp issue with some broken DHCP clients
• mac80211: fix min_tx_power setting
• kernel: add Aquantia PHY firmware loader patches
• hostapd: fix FILS AKM selection with EAP-192
• hostapd: fix 11r defaults when using SAE
• hostapd: fix 11r defaults when using WPA
• hostapd: ACS: Fix typo in bw_40 frequency array on channel 118

• Update Linux from 5.15.137 to 5.15.150
• Update mwlwifi from 2023-04-29 to 2023-11-20
• Update mt76 from 2023-08-14 to 2023-09-11
• Update netifd from 2023-11-10 to 2024-01-04
• Update jsonfilter from 2018-02-04 to 2024-01-23
• Update bcm27xx-gpu-fw from 2022-05-16 to 2024-01-11
• Update mbedtls from 2.28.5 to 2.28.7
• Update openssl from 3.0.12 to 3.0.13
• Update wireless-regdb from 2023.09.01 to 2024.01.23
• Update intel-microcode from 20230808 to 20240312
• Update dnsmasq from 2.89 to 2.90

Sysupgrade can be used to upgrade a device from 22.03 to 23.05, and configuration will be preserved in most cases.

Sysupgrade from 21.02 to 23.05 is not officially supported.

• ipq40xx EA6350v3, EA8300 and MR8300 require tweak to the U-Boot environment on update from 22.03 to 23.05. Refer to the Device wiki or the instruction on sysupgrade on how to do this change. Config needs to be reset on sysupgrade.

• lantiq/xrx200 target shows error messages in DSA switch configuration of the integrated GSWIP switch. (see: https://github.com/openwrt/openwrt/pull/13200)
• OpenWrt 23.05.3 was signed with the wrong signing keys. The keys from OpenWrt snapshot were used for OpenWrt 23.05.3, OpenWrt 23.05.2, OpenWrt 23.05.0 and the release candidates. A later OpenWrt 23.05 service release will use a different key.

As always, a big thank you goes to all our active package maintainers, testers, documenters, and supporters.

Have fun!

The OpenWrt Community