CVE Identifiers: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479

Is there a patch coming? These three are pretty nasty.

kernel source been patched only yesterday, e.g. this branch https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.127

As far as I can tell it has not yet arrived at OpenWRT or TOS.

Until the kernels are patched and for immediate protection sysctl -w net.ipv4.tcp_sack=0 seems to suffice, at least judging by own experience.

Right, but why do TO people have to wait while the patches are already available? Every cloud provider out there patched their images already. If TO is being positioned as a secure router, then waiting to patch goes against that claim.

They are probably working on it, even OpenWRT just now pushed the patched kernel. The router’s security is not at stake and the reboots (if any) are more of an annoyance (and that can be easily prevented with the workaround)

2 Likes

If we are talking about recently found security issues in kernel (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479), we are working on it as well upstream (OpenWrt). OpenWrt pushed a commits with kernel update today for OpenWrt 18.06 (Turris OS 4.x), OpenWrt 19.07 (Turris OS 5.x) and as well to their maste. Even they want to announce a new version soon, but in the past, it didn’t happen, so we will see.

Since Turris OS 4.0 we are based on the top of OpenWrt with our patches and feeds. We are contributing to OpenWrt as well. It takes time, while we will compile all branches for our routers and before we will push it to our users, we want to test it. You can find already updated kernel in branches HBK and HBD.

In the afternoon, updated kernel for Turris OS 3.11.5 release and it is mention in the changelog:

As well we mention it in the upcoming beta 3 release of Turris OS 4.0.

We will release soon both version of Turris OS for our customers and users to make their routers safe again.

3 Likes