OpenWRT has a development branch or trunk which may be a bit experimental and a Stable branch. A Stable branch is released about once a year. Their documentation says that basically anything beyond the current stable release is unmaintained. Is it really so? Well, it's open source, so it should be easy to find out.
Attitude Adjustment, or OpenWRT 12.09, has seen its last commit in September 2014, so it's dead indeed.
Barrier Breaker, or OpenWRT 14.07, on the other hand has seen an update five days ago, so it's certainly moving. But is it still fresh and safe to use? I did a quick and simple check to find out.
There were twelve security vulnerabilities (possibly more, but these were easy to filter) fixed in Chaos Calmer (OpenWRT 15.05, the current stable release) during its lifetime. I grepped for them in the Barrier Breaker sources and here's the result:
| Fixed in Chaos Calmer | Fixed in Barrier Breaker | |
| CVE-2015-3193 | 12/03/15 | 12/07/15 |
| CVE-2015-3194 | 12/03/15 | 12/07/15 |
| CVE-2015-3195 | 12/03/15 | 12/07/15 |
| CVE-2015-5291 | 10/18/15 | Still vulnerable! |
| CVE-2015-3143 | 07/12/15 | Still vulnerable! |
| CVE-2015-3144 | 07/12/15 | Still vulnerable! |
| CVE-2015-3145 | 07/12/15 | Still vulnerable! |
| CVE-2015-3148 | 07/12/15 | Still vulnerable! |
| CVE-2015-3153 | 07/12/15 | Still vulnerable! |
| CVE-2015-3236 | 07/12/15 | Wasn't vulnerable |
| CVE-2015-3237 | 07/12/15 | Wasn't vulnerable |
| CVE-2015-1793 | 07/09/15 | 07/09/15 |
There's a bunch of security issues lurking in the code unfixed.
It looks like an older release may still get some support in the first few months after it's been replaced, but it's not really wise to delay the update.
No comments:
Post a Comment