docs: import v2021.1.2 release notes and update README

605c7e08 · Matthias Schiffer · 9aaeda8d · 605c7e08 · 605c7e08 · 605c7e08
Unverified Commit 605c7e08 authored 2 years ago by Matthias Schiffer
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ the future development of Gluon.
 Please refrain from using the `master` branch for anything else but development purposes!
 Use the most recent release instead. You can list all releases by running `git tag`
-and switch to one by running `git checkout v2021.1 && make update`.
+and switch to one by running `git checkout v2021.1.2 && make update`.
 If you're using the autoupdater, do not autoupdate nodes with anything but releases.
 If you upgrade using random master commits the nodes *might break* eventually.

--- a/docs/releases/index.rst
+++ b/docs/releases/index.rst
@@ -5,6 +5,7 @@ Release Notes
   :caption: Gluon 2021.1
   :maxdepth: 2
+   v2021.1.2
   v2021.1.1
   v2021.1

--- a/docs/releases/v2021.1.2.rst
+++ b/docs/releases/v2021.1.2.rst
+Gluon 2021.1.2
+==============
+Important notes
+---------------
+This release fixes a **critical security vulnerability** in Gluon's
+autoupdater.
+Upgrades to v2021.1 and later releases are only supported from releases v2018.2
+and later. Migration code for upgrades from older versions has been removed to
+simplify maintenance.
+Updates
+-------
+- The Linux kernel was updated to version 4.14.275
+- The mac80211 wireless driver stack was updated to a version based on kernel
+  4.19.237
+Various minor package updates are not listed here and can be found in the commit
+log.
+Bugfixes
+--------
+* **[SECURITY]** Autoupdater: Fix signature verification
+  A recently discovered issue (CVE-2022-24884) in the *ecdsautils* package
+  allows forgery of cryptographic signatures. This vulnerability can be
+  exploited to create a manifest accepted by the autoupdater without knowledge
+  of the signers' private keys. By intercepting nodes' connections to the update
+  server, such a manifest allows to distribute malicious firmware updates.
+  This is a **critical** vulnerability. All nodes with autoupdater must be
+  updated. Requiring multiple signatures for an update does *not* mitigate the
+  issue.
+  As a temporary workaround, the issue can be mitigated on individual nodes by
+  disabling the autoupdater via config mode or using the following commands::
+    uci set autoupdater.settings.enabled=0
+    uci commit autoupdater
+  A fixed firmware should be installed manually before enabling the autoupdater
+  again.
+  See security advisory `GHSA-qhcg-9ffp-78pw
+  <https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw>`_
+  for further information on this vulnerability.
+* **[SECURITY]** Config Mode: Prevent Cross-Site Request Forgery (CSRF)
+  The Config Mode was not validating the *Origin* header of POST requests.
+  This allowed arbitrary websites to modify   configuration (including SSH keys)
+  on a Gluon node in Config Mode reachable from a user's browser by sending POST
+  requests with form data to 192.168.1.1.
+  The impact of this issue is considered low, as nodes are only vulnerable while
+  in Config Mode.
+* Config Mode: Fix occasionally hanging page load after submitting the
+  configuration wizard causing the reboot message and VPN key not to be
+  displayed
+* Config Mode (OSM): Update default OpenLayers source URL
+  The OSM feature of the Config Mode was broken when the default source URL was
+  used for OpenLayers, as the old URL has become unavailable. The default was
+  updated to a URL that should not become unavailable again.
+* Config Mode (OSM): Fix error when using ``"`` character in attribution text
+* respondd-module-airtime: Fix respondd crash on devices with disabled WLAN
+  interfaces
+  Several improvements were made to the error handling of the
+  *respondd-module-airtime* package. The "PHY ID" field (introduced in Gluon
+  2021.1) was removed again.
+* ipq40xx: Fix bad WLAN performance on Plasma Cloud PA1200 and PA2200 devices
+* Fix occasional build failure in "perl" package with high number of threads
+  (``-j32`` or higher)
+Other improvements
+------------------
+* Several improvements were made to the status page:
+  - WLAN channel display does not require the *respondd-module-airtime* package
+    anymore
+  - The "gateway nexthop" label now links to the status page of the nexthop node
+  - The timeout to retrieve information from neighbour nodes was increased,
+    making the display of the name
+    of overloaded, slow or otherwise badly reachable nodes more likely to
+    succeed
+Known issues
+------------
+* Upgrading EdgeRouter-X from versions before v2020.1.x may lead to a
+  soft-bricked state due to bad blocks on the NAND flash which the NAND driver
+  before this release does not handle well.
+  (`#1937 <https://github.com/freifunk-gluon/gluon/issues/1937>`_)
+* The integration of the BATMAN_V routing algorithm is incomplete.
+  - Mesh neighbors don't appear on the status page.
+    (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+    Many tools have the BATMAN_IV metric hardcoded, these need to be updated to
+    account for the new throughput metric.
+  - Throughput values are not correctly acquired for different interface types.
+    (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+    This affects virtual interface types like bridges and VXLAN.
+* Default TX power on many Ubiquiti devices is too high, correct offsets are
+  unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+  Reducing the TX power in the Advanced Settings is recommended.
+* In configurations without VXLAN, the MAC address of the WAN interface is
+  modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+  This may lead to issues in environments where a fixed MAC address is expected
+  (like VMware when promiscuous mode is disallowed).