Page 13 of 15
Re: Asus RT-AC68U
Posted: Thu Mar 29, 2018 8:57 am
by RCHK
384.4_2 (24-Mar-2018)
Code: Select all
- CHANGED: Added visual warning when manually enabling webui
access on WAN. Doing so carries serious potential
security risks, as Asuswrt's web server code should
not be considered hardened enough for this.
- FIXED: Security issue in httpd (CVE-2018-8879).
- FIXED: Potential security issue in httpd related to QiS.
- FIXED: Minor webui issue in the QoS overhead menu.
Re: Asus RT-AC68U
Posted: Sun Apr 01, 2018 6:41 pm
by RCHK
380.70 Beta1
The RT-N66U and RT-AC66U support will be dropped, and all other models have been migrated to the new gen branch, as of release 384.4.
Code: Select all
- NOTE: This will be the final 380.xx release for
all models. The RT-N66U and RT-AC66U
support will be dropped, and all other
models have been migrated to the new gen
branch, as of release 384.4.
People who wish to keep getting updates for
these two older models should look at the
john9527 fork: https://bit.ly/2EV5Oat
- CHANGED: Tightened security around some config files.
- CHANGED: Samba protocol support can now be set to
SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
This will result in a performance drop on all
models, but will be more secure.
Ideally, people should change it to SMBv2 only,
and then reboot all their client devices to start
using only the new protocol.
If performance is more important than security to
you, then you can switch it back to SMBv1, which is
the old default behaviour.
- CHANGED: Switched to the new Entware repo for armv7 models.
To upgrade, run the following commands TWICE:
opkg update; opkg upgrade
- FIXED: Apply button not working on the OpenVPN
Client page.
- FIXED: Potential racing condition that could lead to two
instances of miniupnpd running at boot time.
- FIXED: Broken FAQ links (backport from 380_8120)
- FIXED: Security issue in httpd (CVE-2018-8879).
- FIXED: Security issues in httpd (backports from 380_8228)
Re: Asus RT-AC68U
Posted: Mon May 14, 2018 8:18 am
by RCHK
384.5 (13-May-2018)
Code: Select all
- NEW: Merged withh GPL 384_20648
- NEW: Merged RT-AC68U, RT-AC5300 binary blobs from 384_20648
- NEW: Merged RT-AC86U SDK and binary blobs from 384_20648
- NEW: service-event script, executed before any service
call is made. First argument is the event (typically
stop, start or restart), second argument is the target
(wireless, httpd, etc...).
Note that this script will block the execution of
the event until it returns.
- NEW: Added USB HID modules (for use with devices such
as UPS)
- NEW: Added ip6tables-save command.
- CHANGED: Updated OpenVPN to 2.4.6.
- CHANGED: Updated Dropbear to 2018.76.
- CHANGED: Updated Openssl to 1.0.2o.
- CHANGED: Updated miniupnpd to version 2.1 (20180508).
- CHANGED: Updated nano to 2.9.5.
- CHANGED: Moved RT-AC86U to the same Busybox version (1.25.1)
as other models.
- CHANGED: Revised OpenVPN server options:
o Removed "TLS Reneg time" (rarely used, can manually
be set as a custom option)
o Removed "Server Poll" (which didn't work
properly), and reimplemented watchdog service,
hardcoded to 2 mins frequency.
o Removed "Push LAN" and "Redirect Gateway",
replaced with new Client Access setting
o Removed Firewall setting (firewall rules are now
always created, and the broken External mode
was fixed and integrated into the new Client
Access setting). You can now use the postconf
script to override it.
o Removed option to respond to DNS queries - enabling
the option to Push DNS will also handle it
o Added new Client Access setting to select between
three types of access: LAN only, WAN only (will
block access to the LAN, including the router
itself) and LAN + WAN.
o Keys and certificates can now be up to 7999
characters long.
- CHANGED: Revised OpenVPN client options:
o Reorganized settings into groups
o Removed "Poll Interval" (which didn't work
properly), and reimplemented watchdog service,
with a hardcoded frequency of 2 mins.
o Removed Firewall setting (firewall rules are now
always created). You can now use the postconf
script to override it.
o Modified behaviour of Connection Retry. Instead
of taking a value in seconds that only affected
resolution failure, it now takes a number of
attempts, and affects connection failures.
Resolution failures will now retry for an infinite
period of time (the default OpenVPN value).
o Added "refresh" link which can be clicked to
re-query the public IP endpoint of the tunnel
o Keys and certificates can now be up to 7999
characters long.
- CHANGED: Removed option to resolve names on the
Log -> Connections page.
That functionality was added to the
Network Tools -> Netstat page instead.
- CHANGED: Re-designed Log -> Connections page into a table
with sortable fields - click on a column header to
sort on that field.
- CHANGED: From now on, setting the router to act as a master
browser or a WINS server will also require you to
enable sharing. This will ensure that users understand
that enabling either of these settings requires disk
sharing to also be enabled (which it was already
silently doing before).
- CHANGED: Moved "Beta firmware" option to the Tools -> Other
Settings page
- CHANGED: Improved layout of the Firmware Update page
- CHANGED: WPAD behaviour (sending a carriage return on
DHCP option 252) can now be controlled in the
Tweaks section.
- CHANGED: Blocking custom scripts such as service-event
and pre-mount will now wait a maximum of 120
seconds before resuming normal operations, to
prevent accidental lockouts.
- CHANGED: Autofill start/end time for DST when selecting
a timezone (LostFreq)
- FIXED: Some dnsmasq issues related to DNSSEC were fixed,
including CVE-2017-15107. (backported from
dnsmasq 2.79 by John Bacho)
- FIXED: Restoring an OpenVPN instance to default values
would fail to disable its Start with WAN setting.
- FIXED: Hardware authentication failure for the RT-AC3100
and RT-AC5300.
- FIXED: Minidlna web status page could no longer be enabled.
- FIXED: CVE-2017-9022, CVE-2017-9023 and CVE-2017-11185 in
Strongswan (odkrys)
- FIXED: Various issues with download traffic in Traditional
QoS (Cédric Dufour)
- FIXED: TCP timeout values couldn't be changed on the
Tools -> Other Settings page.
- FIXED: Security issue related to webui logging in (Asus bug)
Re: Asus RT-AC68U
Posted: Mon Jul 23, 2018 8:58 am
by RCHK
384.6 (xx-xxx-xxxx)
Code: Select all
- NOTE: The RT-AC87U is not supported in this release, as
Asus hasn't released any updated code for that model.
- NEW: Merged with GPL 384_21045/382_50624.
- NEW: Added support for the "-p" option to netstat.
- NEW: Added setting to enable DNS rebind protection, on the
DHCP page. This works by rejecting upstream server
responses that would point at a private IP.
- CHANGED: Updated nano to 2.9.8
- CHANGED: Updated curl to 7.60.0 (contains security fixes)
- CHANGED: Allow selecting text (for copy/paste operations)
on AiProtection pages.
- CHANGED: Added AES-*-GCM ciphers to the OpenVPN legacy
ciphers (so they can be explicitely used without
using NCP).
- CHANGED: Updated dnsmasq to 2.80test2-17-g51e4eee (themiron)
- CHANGED: Since dnsmasq 2.80, dnsmasq now ensures that unsigned
DNS replies received with DNSSEC enabled are legitimate.
If your upstream DNS doesn't support DNSSEC, this means
all replies from signed zones will be considered
invalid. Make sure you only enable DNSSEC if your
upstream DNS servers do support it. This behaviour is
a bit slower, but far more secure than the old default.
- CHANGED: Network Tools -> Netstat output also report program/PID
- CHANGED: Updated CA bundle to June 20th version.
- FIXED: IPv6-related issues on non-HND platform (themiron)
- FIXED: Couldn't log on WTFast if accessing the router
webui over https.
- FIXED: USB modem support code failing to properly pass
parameters to the kernel module (themiron)
- REMOVED: WTFast support for RT-AC88U/RT-AC3100/RT-AC5300,
as it's incompatible with recent versions of
curl (and has been broken for quite some time).
Not gonna revert back to a 7 years old curl
version just for wtfast.
Re: Asus RT-AC68U
Posted: Wed Sep 26, 2018 12:03 pm
by RCHK
384.7 (xx-xxx-xxxx)
Code: Select all
- NOTE: The RT-AC3200 and RT-AC56U are not supported by this
release, Asus hasn't released any updated code for these
models.
- NEW: Merged with GPL 384_21152.
- NEW: Merged RT-AC87U binary blobs + SDK from 382_50702.
- NEW: Replaced old ez-ipupdate DDNS client with inadyn.
A plugin was developed to fully support Asus's DDNS
service.
Custom services can now be configured through ddns-start,
inadyn.conf, inadyn.conf.add or inadyn.postconf. See the
inadyn documentation as many custom services can be defined
for it.
- NEW: Added support for freedns.afraid.org DDNS service to webui.
- NEW: Added option to retrieve WAN IP from either the local
interface (like before) or through a remote server
(which works through double NAT) for DDNS.
- NEW: Display DFS channel info on Wireless Log page.
- NEW: Added option to disable checks on unsigned DNSSEC replies.
Disabling these will speed up lookups, but it will also
remove part of the security benefits of DNSSEC, so it
should not be used unless you have a very specific reason
to do so.
- CHANGED: Updated curl to 7.61.1.
- CHANGED: Updated wget to 1.19.5.
- CHANGED: Updated openssl to 1.0.2p.
- CHANGED: Updated dnsmasq to v2.80test4 (themiron).
- CHANGED: Updated nano to 3.1
- CHANGED: All DDNS services now use HTTPS.
- CHANGED: Replaced Google Domains DDNS script with inadyn's own
plugin.
- CHANGED: Moved DNSFilter to the LAN section, to make it clear
that it's unrelated to Trend Micro's engine.
- CHANGED: Report hostname and IP on Wireless Log page if the
info is missing from dnsmasq but available from
networkmap.
- FIXED: Invalid dnsmasq config when setting DNSFilter to Router
mode and having IPv6 enabled (themiron).
- FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode
(themiron).
- FIXED: client table would be shown twice on the VPN Status
page if the only connections to an OVPN server
were invalid clients (like a port scanner)
- FIXED: DDNS forced updates after "x" days wouldn't be
fired.
- REMOVED: Ez-ipupdate DDNS client (replaced with inadyn).
Update your scripts if you were relying on it.
Re: Asus RT-AC68U
Posted: Mon Oct 08, 2018 9:04 am
by RCHK
384.7 (7-Oct-2018)
- NOTE: The RT-AC3200 and RT-AC56U are not supported by this
release, Asus hasn't released any updated code yet for
these models.
- NOTE: Important changes to DDNS, please read below.
- NOTE: Important changes to DNSFilter, please read below.
Code: Select all
- NEW: Merged with GPL 384_21152.
- NEW: Merged RT-AC87U binary blobs + SDK from 382_50702.
- NEW: Replaced old ez-ipupdate DDNS client with In-a-Dyn.
A plugin was developed to fully support Asus's DDNS
service.
Custom services can now be configured through ddns-start,
inadyn.conf, inadyn.conf.add or inadyn.postconf. See the
In-a-Dyn documentation as many custom services can be
defined for it.
- NEW: Added support for freedns.afraid.org DDNS service to webui.
- NEW: Added option to retrieve WAN IP from either the local
interface (like before) or through a remote server
(which works through double NAT) for DDNS.
- NEW: Display DFS channel info on Wireless Log page.
- NEW: Added option to disable checks on unsigned DNSSEC replies.
Disabling these will speed up lookups, but it will also
remove part of the security benefits of DNSSEC, so it
should not be used unless you have a very specific reason
to do so.
- NEW: Added Quad9 to DNSFilter supported services.
- CHANGED: Updated curl to 7.61.1.
- CHANGED: Updated wget to 1.19.5.
- CHANGED: Updated openssl to 1.0.2p.
- CHANGED: Updated dnsmasq to v2.80test8 (themiron).
- CHANGED: Updated nano to 3.1.
- CHANGED: All DDNS services now use HTTPS.
- CHANGED: Replaced Google Domains DDNS script with In-a-Dyn's own
plugin.
- CHANGED: Moved DNSFilter to the LAN section, to make it clear
that it's unrelated to Trend Micro's engine.
- CHANGED: Report hostname and IP on Wireless Log page if the
info is missing from dnsmasq but available from
networkmap.
- FIXED: Invalid dnsmasq config when setting DNSFilter to Router
mode and having IPv6 enabled (themiron).
- FIXED: dnsmasq crashing on RT-AC86U with IPv6 Stateful mode
(themiron).
- FIXED: client table would be shown twice on the VPN Status
page if the only connections to an OVPN server
were invalid clients (like a port scanner)
- FIXED: DDNS forced updates after "x" days wouldn't be
initiated.
- FIXED: CERT VU#598349 vulnerability (DHCP client could
claim the special "wpad" hostname)
- REMOVED: Ez-ipupdate DDNS client (replaced with In-a-Dyn).
Update your scripts if you were relying on it.
- REMOVED: Norton Safe DNSFilter services (being discontinued
by Symantec in November). Configured clients will
be automatically migrated to OpenDNS Family - make
sure to edit your DNSFIlter settings if you desire
to use a different service.
Re: Asus RT-AC68U
Posted: Mon Oct 22, 2018 1:32 pm
by RCHK
384.7_2 (21-Oct-2018)
Code: Select all
- FIXED: Namecheap DDNS service not working
- FIXED: CVE-2018-15599 security issue in Dropbear
- FIXED: Potential buffer overrun in httpd
Re: Asus RT-AC68U
Posted: Fri Oct 26, 2018 7:56 pm
by Gundam
Still using 56U....
Re: Asus RT-AC68U
Posted: Wed Nov 21, 2018 8:49 am
by RCHK
384.8 (xx-xxx-xxxx)
- NOTE: Asus has put the RT-AC56U on their End of Life
list, meaning no further firmware releases from
them. Since it's impossible for me to support
models without matching GPL releases from Asus,
I also have to retire the RT-AC56U. 384.6 is
the final release for that model.
- NOTE: The RT-AC3200 and RT-AC87U are not supported by this
release, Asus hasn't released any updated code yet for
these models.
Code: Select all
- NEW: Added RT-AX88U support (based on GPL 384_4730).
- NEW: Merged with GPL + binary blobs from 384_32799 (all
supported models except RT-AX88U)
- NEW: Add LZ4 V2 option to OpenVPN compression
(more effective at handling already compressed
data)
- NEW: Added "extend" support to SNMP.
- NEW: Added CleanBrowsing to DNSFilter supported services.
- NEW: Webui HTTP LAN port can now be changed from the default 80.
- CHANGED: Updated dnsmasq to 2.80-7-g24b8760 (themiron)
- CHANGED: Removed watchdog from OpenVPN clients, to avoid
conflicting with more advanced configurations.
- CHANGED: Vsftpd TLS mode will now reuse the web server
certificate (including any Let's Encrypt generated
one).
- CHANGED: SSL crypto/cipher hardening for httpd (themiron)
- CHANGED: Syslog will now ignore bwdpi debug output (themiron)
- CHANGED: Reworked Wireless Log page, adding a new button to
view low-level details (what stock firmware shows
on its Wireless Log page), and removed redundant
option to display DFS channel details.
- CHANGED: Updated nettle to 3.4
- CHANGED: Updated net-snmp to 5.8
- CHANGED: Migrated /jffs/ssl/* content to /jffs/.cert (to
share the same folder used by Asus stock)
- CHANGED: Re-enabled WTFast on non-HND models (curl-related
crash has been fixed). This is still untested.
- CHANGED: Updated CA bundle to October 17th 2018 version.
- FIXED: UOPNP port forwarding not working in CGNAT/double NAT
scenario even if proper ports were forwarded upstream.
- FIXED: Pages based on table.js (like the port trigger one)
would fail to work properly under Firefox
(Michael Ziminsky)
- FIXED: Dnsmasq issues when running in non-router mode
(John Bacho)
- FIXED: Routing issues when in non-router mode (John Bacho)
- FIXED: Bug in curl that could cause some applications to
crash on non-HND models
- FIXED: IFTTT failing to start on non-HND models (caused by
curl issue).
- FIXED: Webui could complain about port 8080 being reserved for
http WAN port (which is no longer supported)
- FIXED: Cannot change image for device with a vendor name
containing an apostrophe (like Micro-Star int'l)
(Asus bug)
- FIXED: OpenVPN client download was capped by Adaptive QOS
upload limit (fix devised by FreshJR)
Re: Asus RT-AC68U
Posted: Thu Nov 22, 2018 4:08 pm
by Gundam
Mine is RT-N56U....
