From hauke at hauke-m.de Thu May 7 13:46:04 2026 From: hauke at hauke-m.de (Hauke Mehrtens) Date: Thu, 7 May 2026 22:46:04 +0200 Subject: OpenWrt 25.12.3 - Service Release Message-ID: <48b128ae-c6bd-4ada-9147-431df449c5e1@hauke-m.de> Hi, The OpenWrt community is proud to announce the third service release of the OpenWrt 25.12 stable series. Download firmware images using the OpenWrt Firmware Selector: * https://firmware-selector.openwrt.org/?version=25.12.3 Download firmware images directly from our download servers: * https://downloads.openwrt.org/releases/25.12.3/targets/ Main changes between OpenWrt 25.12.2 and OpenWrt 25.12.3 ========================================================= Only the main changes are listed below. See the [full changelog](https://openwrt.org/releases/25.12/changelog-25.12.3) for details. Security fixes ============== * Linux kernel: fixes **CVE-2026-31431 ("Copy Fail")**. In earlier releases this only affected users on the starfive target and users who had installed kmod-crypto-user. * mbedtls: update to 3.6.6 (multiple CVE fixes) * OpenSSL: update to 3.5.6 (multiple CVE fixes) * wolfSSL: update to 5.9.1 (multiple CVE fixes) Device support ============== New devices supported in 25.12.3: * mediatek: filogic: ASUS RT-AX52 PRO * mediatek: filogic: D-Link AQUILA PRO AI E30 * mediatek: filogic: Huasifei WH3000 Pro (NAND variant) * mediatek: filogic: Keenetic KAP-630 / Netcraze NAP-630 * mediatek: filogic: Zbtlink ZBT-Z8106AX-T * mediatek: filogic: Zyxel WX5600-T0 * ramips: mt7621: EDUP EP-RT2983 * ramips: mt76x8: Cudy LT300 v3 * x86: DFI ADN553 * x86: DFI ASL553 Device fixes: * ath79: Netgear WNDAP360: multiple fixes restoring proper operation (sysupgrade, kernel loader, ethernet, LED, serial baud rate and U-Boot environment) * ath79: Extreme Networks WS-AP3805i: fix U-Boot environment configuration * ath79: Mikrotik: fix included device packages * ipq50xx: Linksys MX5500: add label MAC device assignment * lantiq: Netgear DGN3500: fix U-Boot environment size ? device was broken on 25.12 (https://github.com/openwrt/openwrt/issues/22692) * mediatek: filogic: Bananapi BPI-R4: add device tree overlay for the BE14 WiFi 7 module ? fixes very low WiFi TX power on this module (https://github.com/openwrt/openwrt/issues/17489) * mediatek: filogic: Keenetic KN-1812: various Ethernet PHY device tree fixes (PHY reset, interrupt support, MDIO drive strength, partition naming, xsphy node) * mediatek: filogic: Netgear EAX17: fix rootfs hash in FIT node for per-device rootfs builds * mediatek: filogic: CMCC RAX3000M: add Airoha AN8855 switch support (https://github.com/openwrt/openwrt/issues/21230) * mediatek: filogic: Zbtlink ZBT-Z8103AX-D: enable NMBM on the SPI-NAND flash * mvebu: ClearFog Base/Pro: fix switch kernel module * qualcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887 * qualcommax: ipq807x: Linksys MX5300: add label MAC assignment * ramips: Yuncore CPE200: fix EEPROM size * ramips: mt7621: fix reset hang * ramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFi * ramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (https://github.com/openwrt/openwrt/issues/18578) WiFi fixes and improvements ============================ * wifi-scripts: fix incorrect `erp_domain` and `fils_cache_id` values generated by the ucode-based config script (https://github.com/openwrt/openwrt/issues/21768) * wifi-scripts: add missing `bridge_isolate` and `network_vlan` fields to the ucode schema (https://github.com/openwrt/openwrt/issues/22620) * wifi-scripts: add missing `iface` and other fields to the ucode station/vlan schema (https://github.com/openwrt/openwrt/issues/22165) * wifi-scripts: add EHT (WiFi 7) rates to `set_fixed_freq` Networking and system fixes ============================ * mbedtls: backport upstream patches to fix TLS 1.2 client issues ? fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (https://github.com/openwrt/openwrt/issues/22874) * base-files: sysupgrade: fix `-u` option (skip default configuration) which was broken with apk * base-files: sysupgrade: fix `-f` (custom backup) when the path contains spaces * base-files: sysupgrade: update backup exclusion list * base-files: use `DISKSEQ` instead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential) * lantiq: fix mtdparsers refcount and memory leak * uqmi / umbim: introduce `devpath` option for selecting cellular modems by USB device path * kernel: add `kmod-vsock` and `kmod-vsock-virtio` for VM guests (vsock communication) Core component updates ======================= * Linux kernel: update from 6.12.74 to 6.12.85 * ca-certificates: update from 20250419 to 20260223 * linux-firmware: update from 20251125 to 20260221 * mbedtls: update from 3.6.5 to 3.6.6 (security fixes) * OpenSSL: update from 3.5.5 to 3.5.6 (security fixes) * wireless-regdb: update from 2026.02.04 to 2026.03.18 * wolfSSL: update from 5.8.4 to 5.9.1 (security fixes) * xdp-tools: update from 1.4.3 to 1.6.3 Upgrading to 25.12.3 ===================== Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts. For upgrades within the OpenWrt 25.12 stable series, [Attended Sysupgrade](https://openwrt.org/docs/guide-user/installation/attended.sysupgrade) is also supported, which allows preserving the installed packages. * Sysupgrade from 23.05 or earlier to 25.12 is not officially supported. * Cron log level was fixed in busybox. `system. at system[0].cronloglevel` should be set to `7` for normal logging. `7` is the default now. If this option is not set, the default is used and no manual action is needed. https://github.com/openwrt/openwrt/commit/fc0c518a88e68d3deef04bec73b33d35186d6546 * Bananapi BPI-R4: Interface `eth1` was renamed to `sfp-lan` or `lan4`, and interface `eth2` was renamed to `sfp-wan` to match the labels. You have to upgrade without saving the configuration. https://github.com/openwrt/openwrt/commit/cd8dcfef378044a1687adfa3738f01f9a9622baf * **TP-Link RE355 v1, RE450 v1 and RE450 v2:** The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use `sysupgrade -F` to force the upgrade. The image must not exceed 5.875 MB (6016 KiB). * **Meraki MX60:** Direct sysupgrade to 25.12.3 is not possible without manual preparation ? `meraki_loadaddr` must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions. Known issues ============ * Zyxel EX5601-T0: the WAN interface was renamed from `eth1` to `wan` ? check and update your network configuration after upgrading. * Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. https://github.com/openwrt/openwrt/issues/21486 * 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. https://github.com/openwrt/openwrt/issues/22200 * SQM CAKE MQ (`cake_mq`): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. https://github.com/openwrt/openwrt/issues/22344 ----------------- Full release notes and upgrade instructions are available at https://openwrt.org/releases/25.12/notes-25.12.3 In particular, make sure to read the known issues before upgrading: https://openwrt.org/releases/25.12/notes-25.12.3#known_issues For a detailed list of all changes, refer to https://openwrt.org/releases/25.12/changelog-25.12.3 To download the 25.12.3 images, navigate to: https://downloads.openwrt.org/releases/25.12.3/targets/ Use OpenWrt Firmware Selector to download: https://firmware-selector.openwrt.org?version=25.12.3 As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters. Have fun! The OpenWrt Community --- To stay informed of new OpenWrt releases and security advisories, there are new channels available: * a low-volume mailing list for important announcements: https://lists.openwrt.org/mailman/listinfo/openwrt-announce * a dedicated "announcements" section in the forum: https://forum.openwrt.org/c/announcements/14 * other announcement channels (such as RSS feeds) might be added in the future, they will be listed at https://openwrt.org/contact From hauke at hauke-m.de Thu May 14 14:56:26 2026 From: hauke at hauke-m.de (Hauke Mehrtens) Date: Thu, 14 May 2026 23:56:26 +0200 Subject: OpenWrt 25.12.4 - Service Release Message-ID: <061eac0e-6c2b-4122-9c2a-eba595cd2f88@hauke-m.de> Hi, The OpenWrt community is proud to announce the fourth service release of the OpenWrt 25.12 stable series. Download firmware images using the OpenWrt Firmware Selector: * https://firmware-selector.openwrt.org/?version=25.12.4 Download firmware images directly from our download servers: * https://downloads.openwrt.org/releases/25.12.4/targets/ Main changes between OpenWrt 25.12.3 and OpenWrt 25.12.4 ========================================================= Only the main changes are listed below. See the [full changelog](https://openwrt.org/releases/25.12/changelog-25.12.4) for details. Security fixes ============== * **dnsmasq:** backport six upstream CVE-fix patches to dnsmasq 2.91: * CVE-2026-2291: heap buffer overflow in DNS domain-name handling. * CVE-2026-4890 / CVE-2026-4891: DNSSEC crashes via crafted NSEC bitmaps / RRSIG packets. * CVE-2026-4892: buffer overflow on large DHCPv6 CLIDs (only with `--dhcp-script`). * CVE-2026-4893: broken EDNS Client Subnet validation. * CVE-2026-5172: buffer overflow in `extract_addresses()` on crafted resource records. * **Linux kernel: CVE-2026-43284 ("Dirty Frag")** ? local privilege escalation via the IPsec ESP path. Only relevant on devices with `kmod-ipsec` / `esp4`/`esp6` loaded. Fixed via the 6.12.87 kernel update. Device support ============== New devices supported in 25.12.4: * ath79: MikroTik RouterBOARD 960PGS (hEX PoE / PowerBox Pro) * mediatek: filogic: Cudy WR3000E v1: add ubootmod variant * mediatek: filogic: Cudy WR3000H v1: add ubootmod variant * mediatek: filogic: Cudy WR3000P v1: add ubootmod variant * mediatek: filogic: Cudy WR3000S v1: add ubootmod variant Device fixes: * ath79: Sitecom WLR-7100 (X7 AC1200): fix MAC address assignment, wire up 5 GHz WLAN LED, and move to the `tiny` target to free ~800 KiB of flash * ipq40xx: Pakedge WR-1: restore lost band label on the WLAN LEDs * mediatek: filogic: Cudy WR3000E/H/P/S v1 and WBR3000UAX v1 (ubootmod NAND builds): disable NMBM, which was mistakenly enabled and prevented the NAND from being used correctly * microchipsw: fix LAN8814 QSGMII soft reset WiFi fixes and improvements ============================ * wifi-scripts: fix `basic_rate` mapping in the wpa_supplicant ucode generator * mac80211: update backports package to 6.18.26 (general stability improvements) Core component updates ======================= * Linux kernel: update from 6.12.85 to 6.12.87 * mac80211: update from 6.18.7 to 6.18.26 Upgrading to 25.12.4 ===================== Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts. For upgrades within the OpenWrt 25.12 stable series, [Attended Sysupgrade](https://openwrt.org/docs/guide-user/installation/attended.sysupgrade) is also supported, which allows preserving the installed packages. * Sysupgrade from 23.05 or earlier to 25.12 is not officially supported. * Cron log level was fixed in busybox. `system. at system[0].cronloglevel` should be set to `7` for normal logging. `7` is the default now. If this option is not set, the default is used and no manual action is needed. https://github.com/openwrt/openwrt/commit/fc0c518a88e68d3deef04bec73b33d35186d6546 * Bananapi BPI-R4: Interface `eth1` was renamed to `sfp-lan` or `lan4`, and interface `eth2` was renamed to `sfp-wan` to match the labels. You have to upgrade without saving the configuration. https://github.com/openwrt/openwrt/commit/cd8dcfef378044a1687adfa3738f01f9a9622baf * **TP-Link RE355 v1, RE450 v1 and RE450 v2:** The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use `sysupgrade -F` to force the upgrade. The image must not exceed 5.875 MB (6016 KiB). * **Meraki MX60:** Direct sysupgrade to 25.12.4 is not possible without manual preparation ? `meraki_loadaddr` must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions. Known issues ============ * Zyxel EX5601-T0: the WAN interface was renamed from `eth1` to `wan` ? check and update your network configuration after upgrading. * Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. https://github.com/openwrt/openwrt/issues/21486 * 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. https://github.com/openwrt/openwrt/issues/22200 * SQM CAKE MQ (`cake_mq`): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. https://github.com/openwrt/openwrt/issues/22344 ----------------- Full release notes and upgrade instructions are available at https://openwrt.org/releases/25.12/notes-25.12.4 In particular, make sure to read the known issues before upgrading: https://openwrt.org/releases/25.12/notes-25.12.4#known_issues For a detailed list of all changes, refer to https://openwrt.org/releases/25.12/changelog-25.12.4 To download the 25.12.4 images, navigate to: https://downloads.openwrt.org/releases/25.12.4/targets/ Use OpenWrt Firmware Selector to download: https://firmware-selector.openwrt.org?version=25.12.4 As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters. Have fun! The OpenWrt Community --- To stay informed of new OpenWrt releases and security advisories, there are new channels available: * a low-volume mailing list for important announcements: https://lists.openwrt.org/mailman/listinfo/openwrt-announce * a dedicated "announcements" section in the forum: https://forum.openwrt.org/c/announcements/14 * other announcement channels (such as RSS feeds) might be added in the future, they will be listed at https://openwrt.org/contact From hauke at hauke-m.de Sun May 31 16:19:35 2026 From: hauke at hauke-m.de (Hauke Mehrtens) Date: Mon, 1 Jun 2026 01:19:35 +0200 Subject: OpenWrt 24.10.7 - Service Release Message-ID: <7282877f-a195-401a-8e49-293b37595fc2@hauke-m.de> Hi, The OpenWrt community is proud to announce the newest stable release of the OpenWrt 24.10 stable series. This release fixes several security issues, including security fixes in dnsmasq and the Linux kernel. We recommend everyone to upgrade. The OpenWrt 24.10 series is in security maintenance (only security problems are fixed), with end of life (EoL) projected for September 2026. We recommend migrating to OpenWrt 25.12 before then. Download firmware images using the OpenWrt Firmware Selector: * https://firmware-selector.openwrt.org/?version=24.10.7 Download firmware images directly from our download servers: * https://downloads.openwrt.org/releases/24.10.7/targets/ Main changes between OpenWrt 24.10.6 and OpenWrt 24.10.7 ========================== Only the main changes are listed below. See [changelog-24.10.7](https://openwrt.org/releases/24.10/changelog-24.10.7) for the full changelog. Security fixes ========== Linux kernel: * CVE-2026-43284 ("Dirty Frag"): local privilege escalation through the IPsec ESP code path. This only affects devices that use IPsec, i.e. that have kmod-ipsec / the esp4 or esp6 kernel modules loaded. Fixed by the Linux kernel update to 6.6.138. * CVE-2026-31431 ("Copy Fail"): in earlier releases this only affected users of the starfive target and users who had installed kmod-crypto-user. Fixed by the Linux kernel update to 6.6.137. dnsmasq: * Multiple upstream security fixes backported to dnsmasq 2.90: CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893 and CVE-2026-5172. TLS/crypto libraries: * openssl: update to 3.0.20, fixing multiple security vulnerabilities * mbedtls: update to 3.6.6, fixing multiple security vulnerabilities * wolfssl: update to 5.9.1, fixing multiple security vulnerabilities Device support =========== * airoha: an7581: enable USB support * airoha: EN7581: fix PCIe initialization and add x2 lane (x2 link) support * airoha: add U-Boot support for EN7581/AN7583 boards * bcm53xx: align image names with the device-tree compatible (affects image selection in the Firmware Selector) * qualcommax: ipq807x: Linksys MX5300: fix MAC address labelling * ramips: mt7621: Xiaomi Mi Router AC2100: fix MAC address labelling Various fixes and improvements ==================== * airoha: an7581: fix kernel panic in the I2S audio driver * airoha: fix Ethernet hardware offload on EN7581 (backported upstream airoha_eth patches, offload with GDM2 present) * lantiq: fix refcount and memory leak in the MTD partition parser * wifi-scripts: fix MAC address check in the mac80211 setup script Core components update ============== * Linux kernel: update from 6.6.127 to 6.6.141 * ca-certificates: update from 20250419 to 20260223 * mbedtls: update from 3.6.5 to 3.6.6 * openssl: update from 3.0.19 to 3.0.20 * wireless-regdb: update from 2026.02.04 to 2026.03.18 * wolfssl: update from 5.7.6 to 5.9.1 Upgrading to 24.10 =================== Sysupgrade can be used to upgrade a device from 23.05 to 24.10, and configuration will be preserved in most cases. For for upgrades inside the OpenWrt 24.10 stable series for example from a OpenWrt 24.10 release candidate [Attended Sysupgrade](https://openwrt.org/docs/guide-user/installation/attended.sysupgrade) is supported in addition which allows preserving the installed packages too. * Sysupgrade from 22.03 to 24.10 is not officially supported. * There is no configuration migration path for users of the ipq806x target for Qualcomm Atheros IPQ806X SoCs because it switched to [DSA](https://openwrt.org/docs/guide-user/network/dsa/start). You have to upgrade without saving the configuration. ''Image version mismatch. image 1.1 device 1.0 Please wipe config during upgrade (force required) or reinstall. Config cannot be migrated from swconfig to DSA Image check failed'' * User of the Linksys E8450 aka. Belkin RT3200 running OpenWrt 23.05 or earlier will need to run installer version [v1.1.3](https://github.com/dangowrt/owrt-ubi-installer/releases/tag/v1.1.3) or later in order to reorganize the UBI layout for the 24.10 release. [A detailed description is in the OpenWrt wiki.](https://openwrt.org/toh/linksys/e8450#upgrading_an_ubi_installation_to_new_releases_after_2024-02_includes_all_snapshots_2410-snapshots_24100-rcx_releases_and_all_releases_in_the_foreseable_future) Updating without using the installer will break the device. Sysupgrade will show a warning before doing an incompatible upgrade. * Users of the Xiaomi AX3200 aka. Redmi AX6S running OpenWrt 23.05 or earlier have to follow a [special upgrade procedure described in the wiki](https://openwrt.org/toh/xiaomi/ax3200#upgrading_from_2305_and_earlier_to_upcoming_2410_or_snapshot). This will increase the flash memory available for OpenWrt. Updating without following the guide in the wiki break the device. Sysupgrade will show a warning before doing an incompatible upgrade. * Users of Zyxel GS1900 series switches running OpenWrt 23.05 or earlier have to perform a new factory install with the initramfs image due to a changed partition layout. Sysupgrade will show a warning before doing an incompatible upgrade and is not possible. After upgrading, the config file /etc/config/system should not be restored from a backup, as this will overwrite the new compat_version value. Known issues =========== * **LEDs for Airoha AN8855 are not yet supported.** Devices like the Xiaomi AX3000T with an Airoha switch will have their switch LEDs powered off. This issue will be addressed in an upcoming OpenWrt SNAPSHOT and the OpenWrt 24.10 minor release. * **5GHz WiFi is non-functional on certain devices with ath10k chipsets.** Affected models include the Phicomm K2T, TP-Link Archer C60 v3 and possibly others. For details, see [issue #14541](https://github.com/openwrt/openwrt/issues/14541). ----------------- Full release notes and upgrade instructions are available at https://openwrt.org/releases/24.10/notes-24.10.7 In particular, make sure to read the regressions and known issues before upgrading: https://openwrt.org/releases/24.10/notes-24.10.7#known_issues For a detailed list of all changes since 24.10.6, refer to https://openwrt.org/releases/24.10/changelog-24.10.7 To download the 24.10.7 images, navigate to: https://downloads.openwrt.org/releases/24.10.7/targets/ Use OpenWrt Firmware Selector to download: https://firmware-selector.openwrt.org?version=24.10.7 As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters. Have fun! The OpenWrt Community --- To stay informed of new OpenWrt releases and security advisories, there are new channels available: * a low-volume mailing list for important announcements: https://lists.openwrt.org/mailman/listinfo/openwrt-announce * a dedicated "announcements" section in the forum: https://forum.openwrt.org/c/announcements/14 * other announcement channels (such as RSS feeds) might be added in the future, they will be listed at https://openwrt.org/contact