-
rc/20230421
Moin Moin, Ich habe heute eine neue Firmware gebaut. Basisdaten: * Firmware-Version: 20230421 * Gluon-Version: v2022.1.x * Commit ID: e9dcefee596fdc840ed23313286874879d4bc2d1 * Download: https://firmware.ffnw.de/l2tp/20230421/ Folgende Gluon spezifischen Änderungen gab es unter anderen: Release Gluon 2022.1 Upgrades to v2022.1 and later releases are only supported from releases v2020.1 and later. This is due to migrations that have been removed to simplify maintenance. https://gluon.readthedocs.io/en/latest/releases/v2022.1.html Release Gluon 2022.1.1 This release mitigates multiple flaws in the Linux wireless stack fixing RCE and DoS vulnerabilities. https://gluon.readthedocs.io/en/latest/releases/v2022.1.1.html Release Gluon 2022.1.2 Contains various bugfixes only. https://gluon.readthedocs.io/en/latest/releases/v2022.1.2.html Release Gluon 2022.1.3 Fix boot hang on various Unifi-AC devices https://gluon.readthedocs.io/en/latest/releases/v2022.1.3.html Added hardware support: ath79-generic: * D-Link DAP-2660 A1 * Enterasys WS-AP3705i * Siemens WS-AP3610 * TP-Link: Archer A7 v5 CPE510 v2 CPE510 v3 CPE710 v1 EAP225-Outdoor v1 WBS210 v2 ath79-mikrotik: * Mikrotik RB951Ui-2nD ipq40xx-generic: * GL.iNet GL-AP1300 * Aruba Networks: AP-303H AP-365 * AVM FRITZ!Box 7520 (v1) InstantOn AP11D InstantOn AP17 ipq40xx-mikrotik: Mikrotik: * hAP ac2 * SXTsq-5-AC ramips-mt7620: * Xiaomi Mi Router 3G (v2) ramips-mt7621: * Cudy WR2100 * D-Link DAP-X1860 (A1) * GL.iNet GL-MT1300 * Mercusys MR70X (v1) * Netgear: R6260 WAC104 WAX202 * TP-Link: RE500 RE650 v1 * Ubiquiti UniFi 6 Lite * Xiaomi Mi Router 4A (Gigabit Edition) * ZyXEL NWA50AX ramips-mt7622: * Linksys E8450 * Xiaomi AX3200 * Ubiquiti UniFi 6 LR ramips-mt76x8: * GL.iNet microuter-N300 * Netgear R6020 * RAVPower RP-WD009 * TP-Link: Archer C20 v4 Archer C20 v5 RE200 v2 v3 RE305 v1 * Xiaomi: Mi Router 4C Mi Router 4A (100M Edition) rockchip-armv8: * FriendlyElec: NanoPi R2S NanoPi R4S (4GB LPDDR4) mpc85xx-p1010: * TP-Link TL-WDR4900 (v1) * Sophos RED 15w rev. 1 mpc85xx-p1020: * Extreme Networks WS-AP3825i lantiq-xrx200: * AVM FRITZ!Box 7360 (v2) * TP-Link - TD-W8970 (v1) realtek-rtl838x * D-Link DGS-1210-10P (F1) Removed Devices This list contains devices which do not have enough memory or flash to be operated with this Gluon release. * D-Link DIR-615 (C1, D1, D2, D3, D4, H1) * Linksys WRT160NL * TP-Link: TL-MR13U (v1) TL-MR3020 (v1) TL-MR3040 (v1, v2) TL-MR3220 (v1, v2) TL-MR3420 (v1, v2) TL-WA701N/ND (v1, v2) TL-WA730RE (v1) TL-WA750RE (v1) TL-WA801N/ND (v1, v2, v3) TL-WA830RE (v1, v2) TL-WA850RE (v1) TL-WA860RE (v1) TL-WA901N/ND (v1, v2, v3, v4, v5) TL-WA7210N (v2) TL-WA7510N (v1) TL-WR703N (v1) TL-WR710N (v1, v2) TL-WR740N (v1, v3, v4, v5) TL-WR741N/ND (v1, v2, v4, v5) TL-WR743N/ND (v1, v2) TL-WR840N (v2) TL-WR841N/ND (v3, v5, v7, v8, v9, v10, v11, v12) TL-WR841N/ND (v1, v2) TL-WR843N/ND (v1) TL-WR940N (v1, v2, v3, v4, v5, v6) TL-WR941ND (v2, v3, v4, v5, v6) TL-WR1043N/ND (v1) * Ubiquiti: AirGateway AirGateway Pro AirRouter Bullet LS-SR71 Nanostation XM Nanostation Loco XM Picostation * Unknown A5-V11 * VoCore VoCore (8M, 16M) Atheros target migration All Atheros MIPS devices built with the ar71xx-generic, ar71xx-nand as well as ar71xx-tiny were deprecated upstream and are therefore not available with Gluon anymore. Many devices previously built with ar71xx-generic and ar71xx-nand are now available with the ath79-generic as well as ath79-nand target respectively. Features WireGuard Gluon got WireGuard support. This allows offloading encrypted connections into kernel space, increasing performance by forwarding packets without the need for context switches between user and kernel space. In order to reuse existing (already verified) fastd-keypairs for WireGuard, a key derivation procedure is currently being developed [0]. This should ease migration from fastd to WireGuard in case whitelisting VPN keys is desired. fastd L2TP fastd can now act as a connection broker for unencrypted L2TP-based tunneling within Gluons mesh-vpn framework. This new null@l2tp connection method allows for increased performance within existing fastd setups. In addition to a sufficiently configured fastd-based VPN server [1], this requires further modifications to a sites VPN fastd methods[2]. Major changes OpenWrt This release is based on the newest OpenWrt 22.03 release branch. It ships with Linux kernel 5.10 as well as wireless-backports 5.15. Network changes (DSA / Upgrade-Behavior) The ramips-mt7621 and lantiq-xrx200 targets now use the upstream DSA subsystem instead of OpenWrt swconfig for managing ethernet switches. Gluon detects the existing user-intent and automatically applies it over to DSA syntax. See the section about network reconfiguration for more details. System reconfiguration The network and system-LED configurations are now re-generated after each update / invocation of gluon-reconfigure. The user-intent is preserved within Gluon’s implemented functionality (Wired-Mesh / Client access / WAN). As an additional feature, Gluon now supports assigning roles to interfaces. This behavior is explained here [3]. Site changes VPN provider MTU To account for multiple VPN methods available for a site, the MTU used for the VPN tunnel connection is now moved to the specific VPN provider configuration. For fastd this means that mesh_vpn.mtu needs to be moved to mesh_vpn.fastd.mtu [4]. Preconfigured Interfaces Roles Instead of mesh_on_wan and mesh_on_lan there is now an interfaces block to configure the default behavior of network interfaces. Details can be found in the documentation [5]. Minor changes * The brcm2708-bcm2708 brcm2708-bcm2709 brcm2708-bcm2710 targets were renamed to bcm27xx-bcm2708 bcm27xx-bcm2709 and bcm27xx-bcm2710 * The GL.iNet GL-AR750S was moved to the ath79-nand subtarget *Gluon now ships the ath10k-ct firmware derivation for QCA9886 / QCA9888 / QCA9896 / QCA9898 / QCA9984 / QCA9994 / IPQ4018 / IPQ4028 / IPQ4019 / IPQ4029 radios [6] * WolfSSL instead of OpenSSL is now used when built with WPA3 support * The option to configure the wireless-channel independent from the site-selected channel was moved from gluon-core.wireless.preserve_channels to gluon.wireless.preserve_channels * gluon-info is a new command that provides information about the current node * GLUON_DEPRECATED is now set to 0 by default * To reboot a running gluon-node into setup-mode, Gluon now offers the gluon-enter-setup-mode command * Devices without WLAN do not show the private-wifi configuration anymore * The Autoupdater now uses the site default branch in case it is configured to use a non-existent / invalid branch Bugfixes * Fixes security issues in WolfSSL [13]. People who have installed additional, non-Gluon packages which rely on WolfSSL’s TLS 1.3 implementation might be affected. Firmwares using either gluon-mesh-wireless-sae or gluon-wireless-encryption-wpa3 are unaffected by these issues, since only WPA-Enterprise relies on the affected TLS functionality. CVE-2022-38152 CVE-2022-39173 * Fixes the update path for GL-AR300M and NanoStation Loco M2/M5 (XW) devices. * Various build-errors which sporadically occur when building with a large thread-count have been fixed * Android devices do not lose their IPv6 connectivity after extended idle-time * The 802.11s mesh network is now using 802.11ax HE-modes when supported by hardware * Ipq40xx Wave2 devices temporarily use non-ct firmware again to work around 802.11s unicast package loss in ath10k-ct [7] * Modify kernel builds slightly to work around a boot hang on various devices based on the QCA9563 SoC - especially the Unifi AC-* devices [14] * Work around an issue with wifi setup timing by waiting a bit while device initialisation is ongoing [15] Known issues * Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a soft-bricked state due to bad blocks on the NAND flash which the NAND driver before this release does not handle well [8]. * The integration of the BATMAN_V routing algorithm is incomplete. ** Mesh neighbors don’t appear on the status page [9]. Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput metric. **Throughput values are not correctly acquired for different interface types [10]. This affects virtual interface types like bridges and VXLAN. * Default TX power on many Ubiquiti devices is too high, correct offsets are unknown [11]. Reducing the TX power in the Advanced Settings is recommended. * In configurations without VXLAN, the MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled [12]. This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is disallowed). Missing devices The following devices have not yet been integrated into Gluons ath79 targets. * 8Devices Carambola 2 * Aerohive HiveAP 121 * Allnet ALL0315 * Buffalo: WZR-HP-G300NH2 WZR-HP-G450H * GL.iNet 6408A v1 WNDRMAC WNDRMAC v2 * TP-Link WR2543 * Ubiquiti Rocket * WD: MyNet N600 MyNet N750 * ZyXEL: NB6616 NB6716 Folgende zusatzliche änderungen auf Gluon v2023.1.3 kommen dazu: * modules: update openwrt * modules: update packages * modules: update routing * ath79-generic: remove workaround Now that OpenWrt implements a proper fix for the stalled boots on 74kc boards, the previous workaround can be removed. * ath79-generic: fix WS-AP3705i autoupdater name (#2819) It appears that the autoupdater name wasn't correct and devices therefore don't receive updates. * ipq40xx: use ath10k-smallbuffers for ZyXEL WRE6606 (#2843) The WRE6066, has in contrast to other ip40xx devices, has only 128MB system RAM. This results in OOM situations and instability, to circumvent this we need to use ath10k-smallbuffers. Die upstream Änderungen findet ihr hier: https://github.com/freifunk-gluon/gluon/compare/43954dd1652b44ed0618c98e44fad05dae3fa25a...e9dcefee596fdc840ed23313286874879d4bc2d1 Folgende Comunnity spezifischen Änderungen gab es im siteconf repo: * Der Firmware signatur schlüssel von Florian Lottes wurde hinzugefügt. * In allen Domains wurde die next_node mac 16:41:95:40:f7:dc hinzugefügt. * In der site.conf wurden die interface rollen lan, wan und single hinzugefügt. Die Änderungen an der Siteconf können im Siteconf-Repo hier eingesehen werden: https://git.ffnw.de/ffnw-firmware/siteconf/-/compare/rc%2F20220608...rc%2F20230421 Ich bitte euch die Änderungen zu prüfen und die Firmware im Anschluss zu signieren. Die Dokumentation zum Signaturprozess findet ihr im Wiki unter: https://wiki.ffnw.de/Firmware/Releaseprozess#Firmware_signieren Ein Script zum vereinfachten signieren findet ihr hier: https://git.ffnw.de/lrnzo/firmware-signing-made-easy [0] https://github.com/freifunk-gluon/gluon/pull/2601 [1] https://gluon.readthedocs.io/en/latest/features/vpn.html#vpn-gateway-configuration [2] https://gluon.readthedocs.io/en/latest/features/vpn.html#vpn-fastd-methods [3] https://gluon.readthedocs.io/en/latest/features/wired-mesh.html#wired-mesh-commandline [4] https://github.com/freifunk-gluon/gluon/pull/2352 [5] https://gluon.readthedocs.io/en/latest/user/site.html#user-site-interfaces [6] https://github.com/freifunk-gluon/gluon/pull/2541 [7] https://github.com/freifunk-gluon/gluon/issues/2692 [8] https://github.com/freifunk-gluon/gluon/issues/1937 [9] https://github.com/freifunk-gluon/gluon/issues/1726 [10] https://github.com/freifunk-gluon/gluon/issues/1728 [11] https://github.com/freifunk-gluon/gluon/issues/94 [12] https://github.com/freifunk-gluon/gluon/issues/496 [13] https://openwrt.org/releases/22.03/notes-22.03.1#security_fixes [14] https://github.com/freifunk-gluon/gluon/issues/2784 [15] https://github.com/freifunk-gluon/gluon/issues/2779 Viele Grüße Jan-Tarek Butt _______________________________________________ Dev Mailingliste -- dev@lists.ffnw.de Zur Abmeldung von dieser Mailingliste senden Sie eine Nachricht an dev-leave@lists.ffnw.de -
rc/2022060875c0794d · rm test flag ·
Moin Moin, Ich habe heute eine neue Firmware gebaut. Basisdaten: * Firmware-Version: 20220608 * Gluon-Version: v2021.1.x * Commit ID: 595abcf8cb2dc794801c6ed5f1641783fccf5806 * Download: https://firmware.ffnw.de/l2tp/20220608/ Folgende Gluon spezifischen Änderungen gab es unter anderen: * The Linux kernel was updated to version 4.14.275 * The mac80211 wireless driver stack was updated to a version based on kernel 4.19.237 * [SECURITY] Autoupdater: Fix signature verification. * [SECURITY] Config Mode: Prevent Cross-Site Request Forgery (CSRF). * Config Mode: Fix occasionally hanging page load after submitting the configuration wizard causing the reboot message and VPN key not to be displayed. * Config Mode (OSM): Update default OpenLayers source URL. * Config Mode (OSM): Fix error when using " character in attribution text. * respondd-module-airtime: Fix respondd crash on devices with disabled WLAN interfaces. * ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices. * Fix occasional build failure in “perl” package with high number of threads (-j32 or higher). * status page: WLAN channel display does not require the respondd- module-airtime package anymore. * status page: The “gateway nexthop” label now links to the status page of the nexthop node. * status page: The timeout to retrieve information from neighbour nodes was increased, making the display of the name of overloaded, slow or otherwise badly reachable nodes more likely to succeed. Die upstream Änderungen findet ihr hier: https://github.com/freifunk-gluon/gluon/compare/2dad91bdcb315474cb311c892fc08570c567eab0...595abcf8cb2dc794801c6ed5f1641783fccf5806 Folgende Comunnity spezifischen Änderungen gab es im siteconf repo: Die Änderungen an der Siteconf können im Siteconf-Repo hier eingesehen werden: https://git.ffnw.de/ffnw-firmware/siteconf/-/compare/rc%2F20211030...rc%2F20220608 Ich bitte euch die Änderungen zu prüfen und die Firmware im Anschluss zu signieren. Die Dokumentation zum Signaturprozess findet ihr im Wiki unter: https://wiki.ffnw.de/Firmware/Releaseprozess#Firmware_signieren Ein Script zum vereinfachten signieren findet ihr hier: https://git.ffnw.de/lrnzo/firmware-signing-made-easy Viele Grüße Jan-Tarek Butt
-
20210915
Sign Request 20210915 Moin Moin, Ich habe heute eine neue Firmware gebaut. Basisdaten: * Firmware-Version: 20210915 * Gluon-Version: v2021.1.x * Commit ID: 0622764ed123beb7cee8e06ed49d20afd6d906be * Download: https://firmware.ffnw.de/l2tp/20210915/ Folgende Gluon spezifischen Änderungen gab es unter anderen: Added hardware support: ath79-generic * Plasma Cloud - PA300 - PA300E * TP-Link - Archer C2 v3 - Archer D50 v1 * Joy-IT - JT-OR750i ipq40xx-generic * AVM - FRITZ!Box 7530 * Plasma Cloud - PA1200 - PA2200 ramips-mt7620 * Netgear - EX3700 - EX3800 ramips-mt76x8 * Xiaomi - Mi Router 4A (100M Edition) Major changes: Multicast optimizations (batman-adv): In this release, we reenable the multicast optimizations, that have gone through another round of bug squashing upstream. With this feature batman-adv will distribute IPv6 link-local multicast packets via individual unicast packets instead of flooding them through the whole mesh as long as the number of subscribed nodes does not exceed 16. This reduces layer 2 overhead, especially for IPv6 Neighbour Discovery. We also relaxed the firewall for IPv6 multicast packets: Instead of always dropping non-essential multicast packets we now allow all IPv6 link-local multicast packets to pass when the destination group has up to 16 subscribers Status page: The status page has received much attention in this release and now exposes many more details that help to understand a node's setup remotely. Among other things, we now expose wireless client count per radio, the mac80211 identifiers, the frequencies radios are tuned to, as well as information about the VPN provider and details on the mesh protocol stack. gluon-switch-domain utility: The ``gluon-switch-domain`` utility has been introduced to allow for a standard way to encapsulate the steps required for safely switching between domains. Existing packages like the hoodselector and the scheduled-domain-switch have been tied in with gluon-switch-domain. It has an experimental ``--no-reboot`` flag that requires further testing, to ensure it doesn't accidentally bridge separate domains. Other changes: - The private WLAN interface is now assigned the interface name `wan_radioX` where X is the phy index. - Linux kernel has been updated to 4.14.235 - The kernel's mac80211 stack has been updated to 4.19.193-test1 to mitigate the `FragAttacks <https://www.fragattacks.com/>`_ vulnerabilities - OpenSSL has been updated to 1.1.1l, fixing CVE-2021-3449 and CVE-2021-3450 - openssl: use --cross-compile-prefix in Configure - Dropbear has been patched against mishandling of special filenames in its scp component (CVE-2020-36524) - kernel: bump 4.14 to 4.14.245 Bugfixes: - The firmware partition lookup in gluon-web-admin's firmware update page was using an old partition label and therefore failed to look up the available flash size. This resulted in misleading error messages in case the uploaded firmware file exceeds the flash size. - Android 9 and higher do not properly wake up to renew their MLD subscriptions, therefore dropping out of the Neighbor Discovery MLD group, which leads to broken IPv6 connectivity after the device has slept for a while. A workaround has been deployed to wake these devices up in regular intervals to prevent this regression. - Missing bandwith limit settings resulted in a respondd crash for v2021.1. - The Tunneldigger VPN provider was not registered with the Gluon VPN backend, resulting in broken Tunneldigger configurations. - Disabling Radio interfaces in v2021.1 could lead to nullpointer dereferences in the respondd airtime module, as the survey returns no data in this case. Internal: Mesh-VPN Abstraction Layer: In preparation for the introduction of new tunneling protocols, the gluon-mesh-vpn framework has been modularized. This allows for providers to use a standard interface and keep their implementation details in a dedicated package. Continuous Integration: * GitHub Actions - GitHub actions is now enabled for the Gluon project, build-testing all available targets. - CI jobs are now run based on which paths have been modified. - Linters for lua and shell scripts have been integrated. Die upstream Änderungen findet ihr hier: https://github.com/freifunk-gluon/gluon/compare/197e44da8ba47104ac088aedac73cde35135db67...0622764ed123beb7cee8e06ed49d20afd6d906be Folgende Comunnity spezifischen Änderungen gab es im siteconf repo: * Das Buildscript kann nun builddir cleanups über alle Architekturen. * ein RC autoupdater branch ist eingerichtet um das testen von release canidates zu vereinfachen. * Alle Domains bekommen ein zusätzliches neues IPv6 Präfix. * Die Domain Delmenhorst wurde westlicher von Delmenhost verschoben und heißt jetzt Landkreis Oldenburg. Hinzugekommen ist die Domain Bremen. * Teile der Domain landkreis_osnabrueck wurden in die Domain bad_iburg verschoben um Domain grenzen weniger durch Ortschaften laufen zu lassen und die Anzahl der Router pro Domain anzugleichen. * Die Domain landkreis_wittmund wurde in landkreis_wittmund_nord und landkreis_wittmund_sued geteilt. * Der Patch 0004-patches-openwrt-add-0016-ath9k-check-for-deaf-rx-pat.patch wurde entfernt. * eine Outdoor channel liste wurde hinzugefügt. Die Änderungen an der Siteconf können im Siteconf-Repo hier eingesehen werden: https://git.ffnw.de/ffnw-firmware/siteconf/-/compare/rc%2F20210427...rc%2F20210915 Ich bitte euch die Änderungen zu prüfen und die Firmware im Anschluss zu signieren. Die Dokumentation zum Signaturprozess findet ihr im Wiki unter: https://wiki.ffnw.de/Firmware/Releaseprozess#Firmware_signieren Ein Script zum vereinfachten signieren findet ihr hier: https://git.ffnw.de/lrnzo/firmware-signing-made-easy Viele Grüße Jan-Tarek Butt _______________________________________________ Dev mailing list -- dev@lists.ffnw.de To unsubscribe send an email to dev-leave@lists.ffnw.de -
20210427
Sign Request 20210427 Moin Moin, Ich habe heute eine neue Firmware gebaut. Basisdaten: * Firmware-Version: 20210427 * Gluon-Version: v2020.2.x * Commit ID: 197e44da8ba47104ac088aedac73cde35135db67 * Download: https://firmware.ffnw.de/l2tp/20210427/ Folgende Gluon spezifischen Änderungen gab es unter anderen: - LEDs on the ASUS RT-AC51 are now fully functional. - Netgear EX6150v1 randomly booting into failsafe mode has been fixed. This happened dependant on the state of the mode setting switch. - Dnsmasq has been patched against multiple security issues in its DNS response validation. See the OpenWrt advisory at https://openwrt.org/advisory/2021-01-19-1 Other changes ------------- - Linux kernel has been updated to 4.14.224 - batman-adv fixes were backported from its 2021.0 release - OpenSSL has been updated to 1.1.1k Die upstream Änderungen findet ihr hier: https://github.com/freifunk-gluon/gluon/compare/90d0e33c619cef9e0af928ef4d6477f6c1bdc0de...197e44da8ba47104ac088aedac73cde35135db67 Folgende Comunnity spezifischen Änderungen gab es im siteconf repo: * romove package ffnw-vxlan-switch * activate VXLAN for domain: leer, lohne, oldenburg2, osnabrueck, osnabrueck2, rastede, suedost, tossens und wilhelmshaven alle domains haben nun vxlan aktiviert. Die Änderungen an der Siteconf können im Siteconf-Repo hier eingesehen werden: https://git.ffnw.de/ffnw-firmware/siteconf/-/compare/rc%2F20210103...rc%2F20210427 Ich bitte euch die Änderungen zu prüfen und die Firmware im Anschluss zu signieren. Die Dokumentation zum Signaturprozess findet ihr im Wiki unter: https://wiki.ffnw.de/Firmware/Releaseprozess#Firmware_signieren Ein Script zum vereinfachten signieren findet ihr hier: https://git.ffnw.de/lrnzo/firmware-signing-made-easy Viele Grüße Jan-Tarek Butt _______________________________________________ Dev mailing list -- dev@lists.ffnw.de To unsubscribe send an email to dev-leave@lists.ffnw.de
-
rc/20210915
Moin Moin, Ich habe heute eine neue Firmware gebaut. Basisdaten: * Firmware-Version: 20210915 * Gluon-Version: v2021.1.x * Commit ID: 0622764ed123beb7cee8e06ed49d20afd6d906be * Download: https://firmware.ffnw.de/l2tp/20210915/ Folgende Gluon spezifischen Änderungen gab es unter anderen: Added hardware support: ath79-generic * Plasma Cloud - PA300 - PA300E * TP-Link - Archer C2 v3 - Archer D50 v1 * Joy-IT - JT-OR750i ipq40xx-generic * AVM - FRITZ!Box 7530 * Plasma Cloud - PA1200 - PA2200 ramips-mt7620 * Netgear - EX3700 - EX3800 ramips-mt76x8 * Xiaomi - Mi Router 4A (100M Edition) Major changes: Multicast optimizations (batman-adv): In this release, we reenable the multicast optimizations, that have gone through another round of bug squashing upstream. With this feature batman-adv will distribute IPv6 link-local multicast packets via individual unicast packets instead of flooding them through the whole mesh as long as the number of subscribed nodes does not exceed 16. This reduces layer 2 overhead, especially for IPv6 Neighbour Discovery. We also relaxed the firewall for IPv6 multicast packets: Instead of always dropping non-essential multicast packets we now allow all IPv6 link-local multicast packets to pass when the destination group has up to 16 subscribers Status page: The status page has received much attention in this release and now exposes many more details that help to understand a node's setup remotely. Among other things, we now expose wireless client count per radio, the mac80211 identifiers, the frequencies radios are tuned to, as well as information about the VPN provider and details on the mesh protocol stack. gluon-switch-domain utility: The ``gluon-switch-domain`` utility has been introduced to allow for a standard way to encapsulate the steps required for safely switching between domains. Existing packages like the hoodselector and the scheduled-domain-switch have been tied in with gluon-switch-domain. It has an experimental ``--no-reboot`` flag that requires further testing, to ensure it doesn't accidentally bridge separate domains. Other changes: - The private WLAN interface is now assigned the interface name `wan_radioX` where X is the phy index. - Linux kernel has been updated to 4.14.235 - The kernel's mac80211 stack has been updated to 4.19.193-test1 to mitigate the `FragAttacks <https://www.fragattacks.com/>`_ vulnerabilities - OpenSSL has been updated to 1.1.1l, fixing CVE-2021-3449 and CVE-2021-3450 - openssl: use --cross-compile-prefix in Configure - Dropbear has been patched against mishandling of special filenames in its scp component (CVE-2020-36524) - kernel: bump 4.14 to 4.14.245 Bugfixes: - The firmware partition lookup in gluon-web-admin's firmware update page was using an old partition label and therefore failed to look up the available flash size. This resulted in misleading error messages in case the uploaded firmware file exceeds the flash size. - Android 9 and higher do not properly wake up to renew their MLD subscriptions, therefore dropping out of the Neighbor Discovery MLD group, which leads to broken IPv6 connectivity after the device has slept for a while. A workaround has been deployed to wake these devices up in regular intervals to prevent this regression. - Missing bandwith limit settings resulted in a respondd crash for v2021.1. - The Tunneldigger VPN provider was not registered with the Gluon VPN backend, resulting in broken Tunneldigger configurations. - Disabling Radio interfaces in v2021.1 could lead to nullpointer dereferences in the respondd airtime module, as the survey returns no data in this case. Internal: Mesh-VPN Abstraction Layer: In preparation for the introduction of new tunneling protocols, the gluon-mesh-vpn framework has been modularized. This allows for providers to use a standard interface and keep their implementation details in a dedicated package. Continuous Integration: * GitHub Actions - GitHub actions is now enabled for the Gluon project, build-testing all available targets. - CI jobs are now run based on which paths have been modified. - Linters for lua and shell scripts have been integrated. Die upstream Änderungen findet ihr hier: https://github.com/freifunk-gluon/gluon/compare/197e44da8ba47104ac088aedac73cde35135db67...0622764ed123beb7cee8e06ed49d20afd6d906be Folgende Comunnity spezifischen Änderungen gab es im siteconf repo: * Das Buildscript kann nun builddir cleanups über alle Architekturen. * ein RC autoupdater branch ist eingerichtet um das testen von release canidates zu vereinfachen. * Alle Domains bekommen ein zusätzliches neues IPv6 Präfix. * Die Domain Delmenhorst wurde westlicher von Delmenhost verschoben und heißt jetzt Landkreis Oldenburg. Hinzugekommen ist die Domain Bremen. * Teile der Domain landkreis_osnabrueck wurden in die Domain bad_iburg verschoben um Domain grenzen weniger durch Ortschaften laufen zu lassen und die Anzahl der Router pro Domain anzugleichen. * Die Domain landkreis_wittmund wurde in landkreis_wittmund_nord und landkreis_wittmund_sued geteilt. * Der Patch 0004-patches-openwrt-add-0016-ath9k-check-for-deaf-rx-pat.patch wurde entfernt. * eine Outdoor channel liste wurde hinzugefügt. Die Änderungen an der Siteconf können im Siteconf-Repo hier eingesehen werden: https://git.ffnw.de/ffnw-firmware/siteconf/-/compare/rc%2F20210427...rc%2F20210915 Ich bitte euch die Änderungen zu prüfen und die Firmware im Anschluss zu signieren. Die Dokumentation zum Signaturprozess findet ihr im Wiki unter: https://wiki.ffnw.de/Firmware/Releaseprozess#Firmware_signieren Ein Script zum vereinfachten signieren findet ihr hier: https://git.ffnw.de/lrnzo/firmware-signing-made-easy Viele Grüße Jan-Tarek Butt