OpenWrt vulnerability in opkg [CVE-2020–7982]

Been fixed already https://openwrt.org/advisory/2020-01-31-1

1 Like

But not every device have Turris OS 3.11.14 or newer. Are there any statistics?

I don’t see how this is relevant when it was fixed in Turris OS almost 2 months ago.

1 Like

Basic information about the vulnerability and its public detailed description with remote exploit example is the difference.

For example:

What would like to tell us with the thread? What should be done there, when the router was not connected for a long time? The router is and will be able to update itself to the latest version automatically, if approvals are not used.

It has happened repeatedly in recent years that routers with different configuration and location did not automatically update. It is my long-term experience. If there is an exploit, it is obvious to ask if you have an overview of the updates.

sorry, but this is getting boring viktor. It is a simple waste of bandwith. Untill now, almost all known security patches are being implemented, and very quick. Being critical just to be critical is something else, this looks like trolling. Please keep the forum clean and relevant?

txs, DIKKE

5 Likes

This post is not critic and information about available exploit is not trolling. Anybody who has not updated their router should do so. Anybody who does not know if have router updated should check it. Finally, I ask if there are statistics about used TOS versions.

This is non info. if you search the CVE, first hit is the TOS version that has the patch. If you do not update, fine, your problem. These developers are not the update police. If you do not update, fine, have it your way.
Please stop this useless filling of the forum here.

This topic can be closed.

2 Likes

If you don’t find this information useful, you don’t need to respond to it.

On our blog, we have published an article about this security vulnerability in opkg.

https://en.blog.nic.cz/2020/03/27/critical-opkg-cve-and-turris/

6 Likes

Thank you @pepe. I appreciate it.

Just wanted to mention, that I was glad about the post. I read about the vulnerability on a technical news paper and asked myself if my Mox T is vulnerable.
Apart from the fact that I would not know where to look for the info, I forgot the issue and never checked if my router was save.
5 days later I get the digest of the forum, with this post - voila, no search, 1 minute read, and I feel save again.

my feedback - even if sometimes a post seems trivial (or an implicite offence) to one audience, it is valuable info for another audience.

thx for the info, and thx for the fast security fix

Another way was to enter “CVE-2020-7982” into the forum search box, which would directly show you the (pre-)release announcements from a few weeks ago :man_shrugging: (Certainly not all CVEs have their own topics here, and that’s a good thing.)

2 Likes

Because everything what I wrote is bad.