This repository has been archived by the owner on Dec 14, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Changelog.txt
3021 lines (2716 loc) · 150 KB
/
Changelog.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Asuswrt-Merlin Changelog
========================
380.70 (8-Apr-2018)
- NOTE: This will be the final 380.xx release for
all models. The RT-N66U and RT-AC66U
support will be dropped, and all other
models have been migrated to the new gen
branch, as of release 384.4.
People who wish to keep getting updates for
these two older models should look at the
john9527 fork: https://bit.ly/2EV5Oat
- CHANGED: Tightened security around some config files.
- CHANGED: Samba protocol support can now be set to
SMBv1, SMBv2, or SMBv1 + SMBv2 (the new default).
This will result in a performance drop on all
models, but will be more secure.
Ideally, people should change it to SMBv2 only,
and then reboot all their client devices to start
using only the new protocol.
If performance is more important than security to
you, then you can switch it back to SMBv1, which is
the old default behaviour.
- CHANGED: Switched to the new Entware repo for armv7 models.
To upgrade, run the following commands TWICE:
opkg update; opkg upgrade
- FIXED: Apply button not working on the OpenVPN
Client page.
- FIXED: Potential racing condition that could lead to two
instances of miniupnpd running at boot time.
- FIXED: Broken FAQ links (backport from 380_8120)
- FIXED: Security issue in httpd (CVE-2018-8879).
- FIXED: Security issues in httpd (backports from 380_8228)
380.69_2 (28-Jan-2018)
- NOTE: The official IRC channel has moved to
Freenode (#asuswrt).
- CHANGED: Quantenna watchdog is less likely now to
incorrectly assume the QTN CPU has crashed
(which can lead to router reboots). (RT-AC87U)
- FIXED: IE11 field validation issues on OpenVPN and
DHCP pages.
- FIXED: Router crash when importing an OpenVPN certificate
longer than 3499 characters (the supported limit)
- FIXED: Users were allowed to enter invalid characters on
some of the OpenVPN client page fields.
- FIXED: CVE-2018-5999 in httpd (backport from 384_10007)
- FIXED: CVE-2018-5721 in httpd (Merlin & theMIROn)
380.69 (11-Dec-2017)
- NEW: Added option to disable the Asus NAT tunnel service under
Other Settings -> Tweak. Not quite sure what this
partly closed source service is for, but it eats a
fair amount of CPU and RAM (backport from 382)
- CHANGED: Updated odhcp6c to be in sync with upstream
(patch by theMIRon)
- CHANGED: Updated libogg to 1.3.3 and libvorbis to 1.3.5.
- CHANGED: Updated wget to 1.19.2 (fixing connectivity to some
TLS 1.2 servers)
- CHANGED: Updated RT-N66U and RT-AC66U SDK to GPL 380_8120's
(fixing KRACK in repeater/bridge mode)
- CHANGED: Updated openssl to 1.0.2n.
- CHANGED: Updated tor to 0.2.9.14.
- FIXED: allow IA_NA mode downgrade with forced IA_PD
(for ISPs with broken IPv6 support)
(patch by theMIRon)
- FIXED: Trend Micro signature check might randomly fail the
RSA validation.
- FIXED: Security issues CVE-2017-15275, CVE-2017-12163
and CVE-2017-12150 (backported to Samba 3.6 and 3.5)
- FIXED: Httpd crash when accessing certain webui pages with
no connected Ethernet clients
- FIXED: DNSFILTER rules would have priority over OPENVPN Client
rules (when client has DNS set to Exclusive mode).
- FIXED: traffic routing from the router itself would fail when
restarting the firewall while using an ovpn client with
policy rules in effect.
380.68_4 (4-Oct-2017)
- CHANGED: Updated dnsmasq to 2.78 (contains a number of
security fixes).
- FIXED: rstats could crash at start time in some situations.
- FIXED: QOS Scheduler would revert back to sfq after you had
re-enabled QOS while (fq_)codel was already selected.
- FIXED: Missing tabs on the Parental Control page.
- FIXED: Realtek port status wouldn't auto-refresh on the Sysinfo
page.
- FIXED: Incorrect sort by remaining time on the DHCP Lease page.
- FIXED: Some LAN clients couldn't be added to the TOR redirected
client list.
380.68_2 (12-Sept-2017)
- FIXED: Some models would show the wrong menu options while in
Repeater mode.
- FIXED: USB modem page not displayed if WAN type was set to USB.
- FIXED: CVE-2017-12754 security issue.
- FIXED: Incorrect LAN ports order on Networkmap (RT-AC3200)
(Asus bug)
- FIXED: Extra OpenVPN CA not properly handled for OpenVPN
clients 3, 4 and 5.
- FIXED: Invalid txrate shown on Wireless Client page if client
isn't authenticated yet
380.68 (18-Aug-2017)
- IMPORTANT: due to major webui changes, you will need to
either flush your browser cache, or force it
to reload the page (shift-reload) the first time
you access the webui after upgrading to 380.68.
- NEW: Merged GPL 380_7743 binary blobs for the RT-N66U.
- NEW: Backported Ethernet port status report on the Network Map
from GPL 382.
- NEW: Description field added to OpenVPN client configuration
- NEW: Added missing hash types to ipset_arm (Patch by john9527)
- NEW: Added hostname Busybox applet, used by some Entware packages
- NEW: Added TPROXY netfilter target module (ARM only)
- CHANGED: Switched webui menu generation code to GPL 382 code.
This new code is easier for me to maintain.
- CHANGED: Used webui menu icons from GPL 382.
- CHANGED: Re-organized VPN pages, merging some together.
- CHANGED: Reworked VPNStatus page, will now refresh itself every
5 seconds. It will also report a client's local
and public IP addresses.
- CHANGED: Re-designed webui interface for managing SSL
certificate. Added Upload button, and revamped
certificate info display (includes some backports
from GPL 382)
- CHANGED: Removed option to enable/disable persistent webui
certificate - they are now always persistent.
- CHANGED: Reworked Tools -> Sysinfo page, dynamic data will
refresh itself every 3 seconds, also port
ordering will be more consistent, and display based
on the new tableAPI from GPL 382.
- CHANGED: Backported system log page from GPL 382: moved logging
settings to it, added option to set a remote syslog
server's port, and shown log will auto refresh.
- CHANGED: Re-designed DHCP Lease log page to use the new
tableAPI, with sortable fields (defaults to IP sort)
- CHANGED: Do not alternate between ntp server from webui and
the one hardcoded in nvram - use webui one, unless
it's empty - then use the second server set in nvram.
- CHANGED: Moved App icon out of the notification area and into
the footer of the page, with other links.
- CHANGED: Updated Curl to 7.54.1
- CHANGED: Updated nano to 2.8.6
- CHANGED: Re-designed the way the Tor database gets backed up,
so it won't grow stale by never being updated.
- CHANGED: Define and forward a small range of ports
(57535-57565) for use for passive FTP (needed for
TLS over WAN).
- CHANGED: Reduce the amount of logging done while configuring
policy-based routing for an OpenVPN client when
using the default log verbosity level of 3.
- FIXED: Duplicate LAN port 1 shown for the RT-AC87U on
the Sysinfo page.
- FIXED: Port forward/UPNP issues with CTF enabled depending on
selected NAT loopback mode.
- FIXED: URL filtering wasn't working over IPv4.
- FIXED: OpenVPN instances could potentially start too early at
boot time (before clock was set)
- FIXED: When multiple OpenVPN clients are connected to the router,
their username wouldn't show as Connected.
- FIXED: Progress report would go to 200% if you changed a setting
and started or stopped an OpenVPN client or server.
- FIXED: Security issues CVE-2017-11344, CVE-2017-11345 and
CVE-2017-11420 in networkmap (patches by
Kilo Foxtrot Papa)
- FIXED: Webui self-generated certificate could sometime be
invalid due to a race condition between the SSL and
non-SSL httpd instances starting at the same time.
- FIXED: Tor would fail to start if there was a backed up
database in /jffs/.tordb, due to bad permissions.
- FIXED: SMB sharing without user authentication would fail if
router's admin username was changed from "admin"
(Asus bug)
- FIXED: SMB sharing without user authentication would cause
SMB2 to downgrade to SMB1.
- FIXED: 5GHz-2 would show an "undefined" channel on the
Wireless-> General and in the wifi popup if
5GHz-1 was disabled (Asus bug).
380.67 (16-July-2017)
- NEW: Merged with GPL 380_7743 code, with binary blobs from
7378 for N66U
- NEW: Custom config support for quagga/ripd.
- NEW: Webui SSL certificate can now be saved so it gets reused
instead of a new one being constantly generated. It will
be stored under /jffs/ssl/, you can also easily provide
your own by storing cert.pem and key.pem in that location.
Settings to control this can be found under
Administration -> System.
- NEW: TLS support in vsftpd. Key and certs are automatically
generated, and can also be replaced by your own, as
ftp.key and ftp.crt under /jffs/ssl/
- NEW: fq_codel and configurable overhead support in Adaptive QoS.
- NEW: PEAP/MSCHAPv2 support via 802.1x on WAN interface, in
addition to existing MD5 support (patch by Rafi Khardalian)
- CHANGED: Remember chosen sort method on DHCP static reservations
page.
- CHANGED: Updated minidlna to 1.2.0.
- CHANGED: Updated nano to 2.8.5.
- CHANGED: Updated openssl to 1.0.2l.
- CHANGED: Updated ipset (ARM) to 6.32.
- CHANGED: Upgraded from vsftpd 2.0.4 to 3.0.3. You might need to
revise any custom configuration you have done (if any).
- CHANGED: Moved SMB2 support switch to the main samba page.
- CHANGED: Optimized all webui images for size
- CHANGED: Tor now runs as a limited user instead of as root
- CHANGED: Limited number of supported OpenVPN clients to 2 on
the RT-AC3200, to save on nvram.
- CHANGED: Removed tweak that allowed to disable/enable bridge
multicast snooping, as Asus now disables it upstream
at the kernel level.
- FIXED: OpenVPN client would be shown as having failed to connect
if a reconnect attempt initially failed to authenticate,
but succesfully connected afterward.
- FIXED: Quagga's log could fill up RAM, reduced the amount of
logging generated by it.
- FIXED: NFS sometimes failing to start properly (patch by john9527)
- FIXED: Layout issue of the status bar under Chrome when window
is larger than 1800px (patch by Cyrus Dargahi)
- FIXED: UPNP and SNMP issues in Dual WAN mode.
- FIXED: NAT Loopback (merlin mode) in Dual WAN mode wasn't supported.
- FIXED: Internal and external port specifications were swapped in
miniupnpd's config file (Asus/Tomato bug)
- FIXED: Enabling policy-based routing for a client connecting to
a server that doesn't push a redirect-gateway would fail
to properly route traffic (for instance with StrongVPN)
- FIXED: Invalid port trigger rules when specifying a port range
(patch by John Bacho)
- FIXED: OpenVPN client with a password containing an "&" could get
corrupted when re-editing that client's config.
- FIXED: Some remote syslogd would choke on syslog entries sent by
the router if there were spaces in the tag parameter.
Removed spaces where this was the case.
380.66_6 (22-June-2017)
- CHANGED: Updated OpenVPN to 2.4.3
- FIXED: Corrupted firewall rules if enabling SSHD brute-force
protection and Respond to WAN Ping at the same time
while in Dual WAN mode.
380.66_4 (26-May-2017)
- CHANGED: Updated dropbear to 2017.75
- FIXED: Security issue CVE-2017-7494 in Samba.
380.66_2 (16-May-2017)
- FIXED: AiCloud fail to start on RT-N66U and RT-AC66U.
- FIXED: The generated key/cert for httpds and AiCloud could
sometimes be invalid due to a timing probblem.
380.66 (12-May-2017)
- NEW: Merged with GPL 380_7378
Notable changes:
* Port forwards can select a specific source IP
* Security fixes for CVE-2017-5891, CVE-2017-5892
and CVE-2017-6547
Note:
* If you are experiencing new wifi stability
issues, try disabling Airtime Fairness on
the Wireless -> Professional page (on all
bands).
- NEW: Option to disable Wanduck's constant DNS probing
for WAN state (Tools -> Other Settings)
- NEW: Allow disabling the use of DH, by entering
"none" in the DH field for OpenVPN server config.
- NEW: Added new Internet redirection mode to OpenVPN clients
called "Policy Rule (Strict)". The difference from the
existing "Policy Rule" mode is that in strict mode,
only rules that specifically target the tunnel's
interface will be used. This ensures that you don't
leak traffic through global or other tunnel routes,
however it also means any static route you might have
defined at the WAN level will not be copied either.
- CHANGED: Ovpn importer now recognizes the "port" and
"reneg-sec" parameters.
- CHANGED: Ovpn importer now support a third argument for
the "remote" parameter, allowing to specify the
protocol.
- CHANGED: Updated Tor to 0.2.9.10
- CHANGED: Updated nano to 2.8.1
- CHANGED: Updated OpenVPN to 2.4.2
- CHANGED: Updated LZ4 to 1.7.5 (used by OpenVPN)
- CHANGED: SSL certificate generated for httpds will now
contain SANs for hostname, router.asus.com, IP
and DDNS hostname.
- CHANGED: Make minidlna always use the same uuid, based on
the LAN MAC (original patch by john9527)
- CHANGED: Better feedback provided when an ovpn file upload
generates a problem due to a key/cert that's
not provided inline. Inform the user which of
these he will need to manually provide.
- CHANGED: Disable bridge multicast_snooping, as this should be
unnecessary, and it could interfere with EMF, UPNP and
other multicast applications. Can be re-enabled from
the Tools -> Other Settings page.
- REMOVED: The Virtual Server page no longer allows users to
edit existing port forwards (our existing code is
incompatible with Asus's newer webui code and will
need to be re-implemented.)
- FIXED: WOL page fails to load if adding a client with a
quote in its name.
- FIXED: Couldn't add a DHCP reservation client if its name
contained a quote.
- FIXED: New outbound connections weren't logged if firewall
logging was enabled.
- FIXED: OpenVPN server didn't always work properly in udp mode
when in a dual stack IPv4/IPv6 environment (backport
from GPL 382_9736)
- FIXED: When disabling NCP support in OpenVPN, the router
could still be trying to use it if the remote end
had it enabled.
- FIXED: Potential CVE-2016-10229 security issue in kernel
(unsure whether our kernel was vulnerable or not)
- FIXED: ovpn file import would fail to import auth hash or
cipher if they weren't uppercase.
- FIXED: Couldn't edit SMB permissions if the disk had
multiple partitions (Asus bug) (patch by
Jeremy Goss)
- FIXED: Exporting a client.ovpn file with no existing CA
could generate garbled output in the generated
file.
380.65_4 (28-Mar-2017)
- FIXED: Various LAN/WAN issues with the RT-AC3200 due to
incorrect GMAC state checks (Asus bug) (patch
by john9527)
- FIXED: Some models would sometime randomly fail to start one
of their wifi radio, possibly due to a hardware design
issue. Partly revert the 380.65 changes that removed
the automatic reboot if one radio was disabled at boot
time, but reduced the maximum number of reboots to 1.
380.65_2 (10-Mar-2017)
- FIXED: CVE-2017-6549 (implemented temporary workaround,
until a proper fix from Asus)
- FIXED: CVE-2017-6548 (backport from GPL 7266)
- FIXED: WOL page fails to load if adding a client with a
quote in its name.
- FIXED: Couldn't add a DHCP reservation client if its name
contained a quote.
380.65 (3-Feb-2017)
- NEW: Merged with parts of Asus GPL 380_4180, left out
most of it because of too many bugs in it.
- NEW: Upgraded to OpenVPN 2.4.0, and implemented support
for many of its new features:
* GCM ciphers
* LZ4 compression
* tls-crypt (uses the Static Key field)
* Cipher negotiation (NCP), with (optional)
fallback to legacy "cipher" parameter when
an OpenVPN 2.3 client connects to the
router's 2.4 server.
Please refer to the OpenVPN 2.4 documentation for
more info on these new features.
You will be warned if any server setting would
generate an exportable ovpn file that would be
incompatible with older clients.
Existing client config shouldn't need to be changed,
unless you modify the router's server configuration.
- NEW: Upgraded Busybox to 1.25.1 (patch by theMIROn)
- NEW: Added the following Busybox applets: ntpd, time, uniq,
xargs and getopt, for feature parity with John's fork.
- NEW: Option on Media Server page to enable minidlna's
built-in status web page. Default URL is
http://router.asus.com:8200 .
- NEW: Support for Vodafone R226 USB LTE (patch by
Gernot Pansy)
- NEW: New "update-notification" user script, that gets run
when a scheduled firmware check detects a new version
is available.
- CHANGED: Removed support for all RC ciphers on OpenVPN.
DES is staying for now, but should still be avoided
whenever possible.
- CHANGED: Updated openssl to 1.0.2k
- CHANGED: Updated tor to 0.2.9.9 (0.2.9.x patch by blackfuel)
- CHANGED: Updated nano to 2.7.4.
- CHANGED: hosts file will now give a higher priority to the
user-configured hostname for the router ahead of
hardcoded ones (like router.asus.com).
- CHANGED: Create a system log entry if a new firmware
version is available.
- CHANGED: Display name and icon for clients configured on the
Tor page.
- CHANGED: Streamlined miniupnpd stop/start events during boot,
so there are fewer of them now.
- FIXED: Invalid DUID used when requesting an IPv6 prefix
for some of the newer router models, which would
prevent them from getting working IPv6 (Asus bug)
- FIXED: Network Service Firewall rules not applied
under certain configurations
- FIXED: Port triggering wasn't working if traffic had
been whitelisted by Network Service Firewall
- FIXED: Avahi wasn't rejecting connections from
secondary WAN interface
- FIXED: Sorting clients by connection time would incorrectly
treat 10 hours as shorter than 9 hours, as it was
handling it as a string (Asus bug)
- FIXED: Exported ovpn client file wouldn't use the
user-configured hostname when using DDNS custom mode.
- FIXED: Exported OpenVPN client config didn't work when
using static key authentication.
- FIXED: Exported OpenVPN client config wasn't editable with
Notepad, the default editor used by Windows's
OpenVPN GUI.
- FIXED: OpenVPN was killed too quickly on disconnection,
causing issues when using explicit-exit-notify
(patch by john9527)
- FIXED: OpenVPN client/server instances weren't properly
restarted on a WAN restart (patch by john9527)
- FIXED: Some models (N66/AC66/AC5300) would reboot 3 times
if one of the radios was found disabled by the user
while booting (Asus bug).
- FIXED: Webui layout was broken under Chrome 56.
380.64_2 (8-Jan-2017)
- FIXED: IPv6 client list failing to properly show hostnames
(regression in 64_1)
- FIXED: A few potential buffer overruns in httpd
380.64_1 (6-Jan-2017)
- FIXED: Security issues in httpd (backport from GPL 4180 +
additional fixes of my own)
380.64 (16-Dec-2016)
- NEW: New firmware availability notification. The router will
notify you if a new firmware is available, and will also
let you view the changelog before sending you to the
download page (the update process remains manual).
Note that the automated check will only report new
final releases. The Check button on the Firmware Upgrade
will immediately check for final releases or beta (if you
select that option), but not both at the same time.
- NEW: Added iptables MASK support on MIPS kernel (patch
by john9527)
- NEW: Webui warning shown in the notification area if running
low on free nvram.
- CHANGED: Updated nano to 2.7.1.
- CHANGED: Updated OpenVPN to 2.3.14.
- CHANGED: Updated curl to 7.51.0, resolving numerous security
and stability issues.
- CHANGED: Tor clients will now route other TCP ports than just
80/443, and drop UDP and ICMP traffic (patch by
blackfuel)
- CHANGED: QoS Stats info will automatically refresh every
3 seconds (user-configurable)
- CHANGED: IPTraffic charts now show sorted slices, so the
clients with the least traffic will get grouped
under "Others" if truncating the list of shown
clients.
- CHANGED: Enabled IPv6 support in curl.
- CHANGED: Improved webui performance, by caching large static
Javascript files such as jquery, and increased cache
life from 5 mins to 1 hour.
- CHANGED: No longer include Download Master packages in the
firmware for those models that still included them,
reducing firmware size by a few megabytes.
Those were always outdated, the router will download
the latest versions from Asus's servers at install
time.
- CHANGED: Improved webui protection against CSS/XSS attacks
(backport from GPL 4164)
- FIXED: Web server crash if importing an ovpn file with an
invalid key or certificate (Asus bug)
- FIXED: App icon at the top wouldn't work on Firefox,
generating a Javascript error (Asus bug)
- FIXED: Firefox would sometime fail to display the client
list, reporting a JSON parsing error in the console.
- FIXED: HMAC setting not properly set when importing an ovpn
file for a config based on TLS authentication mode.
(backport from GPL 4164)
380.63_2 (12-Nov-2016)
- CHANGED: Added detection for iPhone 7 models in networkmap
(patch by Andrei Coman).
- CHANGED: Enabled --dns-loop-detect support in dnsmasq
- CHANGED: Move Dual WAN static routes to a lower priority, so VPN
policy rules will have priority over them
- FIXED: Traditional QoS labels were off by one on the Stats page.
- FIXED: Adaptive QoS upload stats couldn't be retrieved because
qosd seems to be hardcoded to always set up classes on eth0
rather than on the real WAN interface.
- FIXED: USB driver was removed too early at shutdown time on the
RT-AC56U and RT-AC87U (fix by john9527)
380.63 (6-Nov-2016)
- NEW: QoS Statistics page, showing the amount of traffic assigned to
each available classes, as well as the current throughput.
- NEW: Charts added to various Traffic Monitor pages.
Note that you can click on legend items to reveal/hide the
DL/UL data. Hovering over a bar or a pie slice will
display the exact value for that item.
- NEW: Added pc_delete() to the helper script (patch by john95287)
- NEW: IPv6 firewall now supports fixed interface ID (EUI64) ipv6
destination addresses (Patch by john9527)
- CHANGED: Updated Tor to 0.2.8.9
- CHANGED: Updated OUI database.
- CHANGED: ipset was updated to version 6.29 on ARM models.
IMPORTANT: this means you will probably need to
update your script to the new syntax. You need to
load the xt_set.ko module at the start of your script.
There has been no change to MIPS models, due to their
older kernel. (original code by Shibby and Victek,
Asuswrt port by john9527) (ARM only)
- CHANGED: OpenVPN policy rules now start at prio 10000 instead of 1000
- CHANGED: Added help popups to various settings that are unique to
Asuswrt-Merlin.
- FIXED: Custom group/shadow/passwd weren't applied at boot time.
- FIXED: CVE-2016-5195 (Dirty COW) vulnerability in kernel
(patches by blackfuel and Joseph A. Yasi)
- FIXED: Network Service Filter rules would only apply to clients
under Parental Control if that was enabled (original
debugging by john9527) (Asus bug)
- FIXED: A few memory leaks in httpd and rc services.
380.62_1 (29-Sept-2016)
- CHANGED: Updated OpenSSL to 1.0.2j
380.62 (23-Sept-2016)
- NEW: Added nano 2.7.0 (user-friendly text editor)
Documentation: https://www.nano-editor.org/dist/v2.6/nano.html
Note that for space reasons, some of its features are disabled
for the RT-N66U and RT-AC66U. Entware users might want to
uninstall the Entware version if they had it installed and want
to use the built-in version instead.
- NEW: Option to toggle the display of passwords on the PPTPD and
OpenVPN server pages.
- NEW: Allow providing a vendor class on the WAN page (DHCP option 60)
- NEW: Add option to disable sending a RELEASE request when odhcp6c
exits, allowing you to retain your received prefix with some
ISPs.
- CHANGED: Updated nettle to 3.2 (used for dnssec) and increased
optimization level.
- CHANGED: Updated minidlna to 1.1.6
- CHANGED: Updated OpenVPN to 2.3.12
- CHANGED: Updated OpenSSL to 1.0.2i
- CHANGED: Revamped the Wireless Log page:
- Merged some columns to gain more horizontal space
- Longer hostname shown (truncated names are now
shown in a tooltip)
- Display clients' IPv6 if they have one
- CHANGED: Accept up to 250 characters for OpenVPN client's
username and password (one provider needs 64).
- CHANGED: Hide the WPA key on the Wireless config page, and only
reveal it when you click on the field to edit it.
- FIXED: OpenVPN client shouldn't display policy routing settings
when using a TAP interface.
- FIXED: DSL/ATM overhead setting was visible on MIPS models, which
don't support it.
- FIXED: Editing OpenVPN or PPTP users with any value longer than
32 chars could lead to corruption of the user list.
- FIXED: Custom config file for igmpproxy wasn't working.
- FIXED: After turning off a Guest network, the next visit to the
Wireless Settings page would show that guest network's settings
instead of the parent band settings (Asus bug)
- FIXED: Smart Connect rules didn't apply on the RT-AC88U (backported
fix from 380_3941).
- FIXED: Numerous memory leaks in the networkmap service. (Asus bug)
- FIXED: Potential buffer overrun in the networkmap service. (Asus bug)
- FIXED: Broken IPv6 connectivity if enabling SSH brute force
protection (only MIPS models were affected)
- FIXED: 5G LED would fail to turn back on when exiting stealth mode.
- FIXED: Only hostname was used as remote server in an exported
OpenVPN client config when using Namecheap DDNS.
- FIXED: Security vulnerability (XSS/CSR) in httpd (backported
fix from 380_4005).
- FIXED: Chrome would try to autofill some fields (such as on the
DDNS configuration page), which could be problematic.
- FIXED: IPTraffic database was no longer properly named after
the router's MAC address on the AC88/AC3100/AC5300.
If you recently enabled it, you will need to either
re-create a new database, or rename the existing
database from tomato_cstats_000000000000.gz to
tomato_cstats_XXXXXXXXXXXX.gz, where "XXXXXXXXXXXX" is
your MAC as found with "nvram get et2macaddr", in
lowercase (AC88/AC3100/AC5300 only).
Regular traffic monitoring (stored in
tomato_rstats_XXXXXXXXXXXX.gz) is fine.
380.61 (4-Aug-2016)
- FIXED: Connected OpenVPN clients reporting as disconnected
on the status page following any wireless config change
(Asus bug)
- FIXED: OpenVPN server would report being "Initializing"
while it already was ready, following any
wireless config change (Asus bug)
- FIXED: Various stability issues with minidlna (reverted some
of Asus's customizations)
380.61 Beta 1 (31-July-2016)
- NEW: Merged with GPL 3831.
- CHANGED: updated dropbear to 2016.74.
- FIXED: Do not enforce b/g mode as "auto" if wireless mode
is also set to Auto.
380.60
There was no non-beta release, due to limited model support
and unsolved WAN stability issues.
380.60 Beta 2 (5-July-2016)
IMPORTANT: The firmware image file format was changed by Asus.
Starting with 380.60, you will no longer be able to
flash versions older than 380.60, or Asus versions
older than 3.0.0.4.380_3000.
You can currently downgrade by using Firmware Recovery
mode, but there's not guarantee that this will keep
working in the future.
- NEW: Merged with GPL 3479. This includes the new file format
required for certification purposes.
- NEW: Option to enable overhead calculation on Traditional QoS
for DSL users (ARM-only)
- NEW: Option on System page to disable the new forced
redirection to router.asus.com (defaults to disabled)
- CHANGED: Updated OpenVPN to 2.3.11
- CHANGED: Allow to specify IPv6 prefixes up to 126 on the IPv6 config
- CHANGED: Networkmap will now announce itself as "Asuswrt/networkmap"
when connecting to LAN's web services.
- FIXED: OpenVPN server instances weren't properly reporting
if an error occurred at start time.
- FIXED: wget was unable to access https site due to not
having a CA bundle to verify certificates
- FIXED: odhcp6c was sending bogus preferred prefixes, so
anything larger than 64 could result in an invalid
prefix
- FIXED: Language selector is missing on router set for the
JP region (reverted Asus change)
- FIXED: Client names with single quotes couldn't be edited
in the networkmap client popup (Asus bug)
- FIXED: Router wouldn't run SMB to provide browser master
or Wins services if no USB disk was plugged
- FIXED: Router would sometime fail to renew a WAN DHCP lease.
(fix by theMIROn)
380.59 (10-May-2016)
- NEW: Merged with 380_2697 GPL. This includes beta MU-MIMO support for
the RT-AC87U/AC88U/AC3100/AC5300, and IPTV fixes.
- NEW: Option on OpenVPN client/server page to reset them back to the
factory default settings.
- EXPERIMENTAL: Added support for codel and fq_codel to ARM models
(RT-AC56U and newer).
When enabling Traditional QoS or Bandwidth Limiter,
you can now change from the default sfq queue
discipline to codel or fq_codel.
(based on Kyle Sanderson's Tomato backport)
NOTE: Traditional QoS is currently broken on the
newer models (RT-AC88U and up). This is a known
issue in recent Asus releases.
- CHANGED: WAN -> NAT Passthrough now allows you to determine whether or
not to load the NAT helper module for h323, rtsp and sip.
Asus's old behaviour is "Enabled + NAT Helper".
- CHANGED: DNSFilter client dropdown now uses Asus's new one integrated
with networkmap.
- CHANGED: minidlna now supports refreshing an existing database, so the
Tweak setting was updated accordingly
- CHANGED: Enable SPNEGO support in Samba
- CHANGED: Integrated Asus's networkmap into the DHCP reservations page
- CHANGED: Updated Tor to 0.2.7.6
- CHANGED: SSH WAN access will also work over IPv6
- CHANGED: Updated miniupnpd to 2.0
- CHANGED: Fields on the DHCP static lease page are now sortable
(original patch by Allan Jensen)
- CHANGED: Updated openssl to 1.0.2h
- FIXED: Daily/Monthly traffic monitoring shows invalid values on the
RT-AC88U/3100/5300, even with CTF disabled. Implemented a
temporary workaround.
- FIXED: WPS wasn't working on the RT-AC3200
- FIXED: Backported security fixes from OpenWRT to Samba 3.6.25,
addressing the following:
CVE-2015-5252, CVE-2015-5370, CVE-2015-5296,
CVE-2015-5299, CVE-2015-7560, CVE-2016-2110,
CVE-2016-2111, CVE-2016-2112, CVE-2016-2115,
CVE-2016-2118.
- FIXED: OpenVPN clients set to policy-based routing and Exclusive
DNS mode were still adding the tunnel nameservers to
dnsmasq, causing both routed and non-routed clients to use
them.
380.58 (20-Mar-2016)
- NEW: Merged with 380_1354 GPL
- NEW: Added Tweaks and Hacks settings to Tools -> Other Settings.
These are UNSUPPORTED tweaks, intended mostly for
experimentation, or very specific situations. If unsure how
to apply these, manually reboot after changing them.
One of new settings there lets you disable hourly network
rescans, to resolve issues with NAS/printers coming out
of sleep every hour.
- NEW: Added setting to configure OpenVPN's auth digest algo.
- NEW: Added setting to configure OpenVPN's logging verbosity.
Note that this setting is global to all clients/servers.
- CHANGED: Updated OpenVPN to 2.3.10
- CHANGED: Updated openssl to 1.0.2g
- CHANGED: Updated miniupnpd to 1.9.20160222
- CHANGED: Updated udpxy to 1.0-build 23-10 (backport from GPL
380_2345)
- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"
and you enable policy-based routing, then those policies
will also determine which DNS to use (the tunnel's or
the ISP's). This is based on DNSFilter's technology.
You no longer need to use DNSFilter to control
the DNS used by your OpenVPN clients.
- CHANGED: Made OpenVPN traffic bypass CTF, which resolves
some throughput issues with it
- CHANGED: Disabled X11 Forwarding support in Dropbear,
for security reasons.
- FIXED: PPTP static route handling script was broken
- FIXED: minidlna would check for the wrong database filename
at start time
- FIXED: Wrong status shown for VPN Client 3
- FIXED: OpenVPN clients were run on the wrong CPU cores.
Now, odd instances correctly run on the second core.
- FIXED: Using DNSFilter with default mode set to "router" would
prevent using the router for IPv6 lookups.
- FIXED: Account limit wasn't properly allowing up to 10
clients for SMB/FTP (patch by vit9696)
- FIXED: Having multiple OpenVPN clients configured with
multiple "Accept DNS configuration" modes would
only apply the last client's setting. Now, we
apply the most restrictive setting of all
configured clients.
- FIXED: RT-AC68U 2.4 GHz was broken if CTF was disabled
(downgraded wifi driver to 6.37.14.105)
- FIXED: Diasbling the SIP NAT helper would also drop all port 5060
traffic. Some users need to keep the SIP helper disabled
with their SIP client. Reverted that GPL 858 change.
380.57 (24-Dec-2015)
- NEW: Merged with 380_1031 GPL
- NEW: Added RT-AC3100 and RT-AC5300 support
- NEW: Added RT-AC68U HW Revision C1 support
- NEW: Backup/Restore of the content of the JFFS
partition (under Administration Restore/Save Settings)
- NEW: Added DNSSEC support. Can be enabled under LAN -> DHCP.
- NEW: Added custom/postconf support for igmpproxy.conf.
- CHANGED: Increased user account limit from 16 to 32 on
the VPN server pages.
- CHANGED: Updated e2fsprogs to 1.42.13
- CHANGED: Increased maximum entries in Parental Control
(time scheduler) to 32.
- CHANGED: Updated miniupnpd to 1.9.20151119.
- CHANGED: Updated Openssl to 1.0.2e.
- CHANGED: Downgraded Dropbear to 2014.66, too many issues in
the newer releases.
- CHANGED: Improvements to VPN Status page
- FIXED: CTF not automatically disabled when enabling IPTraffic.
- FIXED: Openvpn clients 3 through 5 were all run on the first
CPU core. They are now properly alternated like the
first two (odd on CPU1, even on CPU0)
- FIXED: smb.log generated by networkmap could fill up RAM
- FIXED: upnpc_xml.log generated by miniupnpc could fill up RAM
- FIXED: Inconsistant names used on IPTraffic and Sysinfo page.
Now, we give priority to any description manually entered
on the networkmap, followed by static hostname, then any
current (lease) hostname.
- FIXED: MAC queries sent to the OUI database were broken due to
changes on the IEEE website
- FIXED: Applying changes to OpenVPN client page would start the
client even if it was disabled/stopped.
378.56_2 (2-Nov-2015)
- CHANGED: Reverted the memory buffering optimization
for ARM devices, as people keep panicking
over the lower amount of free RAM. You can
manually re-enable the optimization by setting
"drop_caches=0" in nvram.
- CHANGED: Allow using a port < 1024 for http(s) webui
interface.
- FIXED: EMF wasn't working on AC56/AC68/AC87.
- FIXED: Couldn't connect to ISPs using VLANs (RT-AC87U)
- FIXED: Editing Port Forward entry with ellipsis in
the description or the port range would
still edit the shortened version instead
of the full content.
- FIXED: Debug log from mDNSNetMonitor could gradually
fill up RAM - disabled it.
- FIXED: Router crash if pasting SSH key > 2047
characters.
- FIXED: Editing an entry on the networkmap would
clear the hostname if entry existed in
the DHCP static list.
- FIXED: OpenVPN server in secret key mode
would fail to start.
- FIXED: Couldn't add entries to the MAC Filter list
of Guest Networks (reverted our previous
implementation which conflicted with
Asus's new one).
- FIXED: NTP failing to refresh for some cases.
Implemented temporary workaround.
- FIXED: Some services not properly starting at
boot time (like Parental Control or Tor)
378.56 (25-Oct-2015)
NOTE: There is no 378.56 build for the RT-N66U at
this time, as Asus hasn't released updated
source code for this model yet, and there are
new closed source binary components that are
necessary for this new release.
Make sure to read the changelog of the two
previous betas for the complete list of
changes since 378.55.
- CHANGED: Nameserver handling is more resilient to
scenarios where dnsmasq fails to start due
to a broken configuration
- FIXED: PPTP/L2TP client page broken on French locale
- FIXED: Entries on the Virtual Server page with ellipsis
in their name or port range weren't properly
copied to the Add fields when edited.
- FIXED: Additional fixes to truncated hostnames related
to networkmap
378.56 Beta 2 (18-Oct-2015)
- CHANGED: Increased Guest MAC filter entries limit to 64.
- CHANGED: DHCP query logging no longer override configured
syslog level, and option was renamed to "Hide queries"
to be more intuitive in regard to the level logging
configured.
- CHANGED: Enabling Hide DHCP queries also silences any RA
routine event.
- CHANGED: Reverted networkmap's printer detection change
as it didn't resolve the printer wakeups.
- CHANGED: Reorganized settings on the System page
- FIXED: QoS page layout in Firefox
- FIXED: curl wasn't using the firmware's CA list (regression)
- FIXED: Models with 128 KB support were only reporting 64 KB
in the nvram userspace tool
- FIXED: Traditional QoS not working when IPv6 is enabled
(patch by charlie2alpha)
- FIXED: Smart Connect page fails to save interface policies
- FIXED: VPNStatus page was broken on French locale
378.56 Beta 1 (12-Oct-2015)
- NEW: Merged with GPL 9177.
- NEW: Added support for the RT-AC88U.
- NEW: Support for Russian ISP Telenet (code by theMIROn)
- NEW: ipset support in dnsmasq (patch by ryzhov_al)
- NEW: default loglevel is now configurable and defaults to
5 (notice) instead of 0 (emergency)
- NEW: local syslogd loglevel is now configurable through the webui.
- NEW: Support for extra-certs in OpenVPN
- NEW: Editable DHCP static leases list, virtual servers, port triggers.
- NEW: IP addresses on the Network Service Filter page can now be
subnets in CIDR format (i.e. 10.0.0.0/24)
- CHANGED: Updated miniupnpd to 20150723 snapshot
- CHANGED: Updated openvpn to 2.3.8
- CHANGED: Updated dropbear to 2015.68 + upstream patches
- CHANGED: Updated minidlna to 1.1.5.
- CHANGED: Support up to 5 different OpenVPN clients (to match Asus)
- CHANGED: Maximum openvpn policy rules reduced from 128 to 100, fewer
priority slots wasted in the RPDB tables (could have been a
problem with the increase in the number of supported clients)
- CHANGED: Improvements to VPN Status page
- CHANGED: Connection failure reason shown on the OpenVPN client
configuration page.
- FIXED: Router crash when an invalid or corrupted DH parameter
is used on an OpenVPN server configuration.
- FIXED: 2.4 GHz temperature would be missing on the Sysinfo
page when disabling the 5 GHz radio on the RT-AC3200.
- FIXED: Max tracked connection limit wasn't user-editable
- FIXED: Resource leaks in ez-ipupdate if an update failed
- FIXED: Networked printers coming out of sleep every time
networkmap queried their LPR service
- FIXED: Resource leak in networkmap when scanning for
printer servers
- REMOVED: Regulation mode setting on Wireless -> Professional.
This can't be adjusted anymore, as it was moved to
a closed source component.
378.55 (17-July-2015)
- FIXED: DHCP lease page could get confused by IPv6 clients on
the LAN.
378.55 Beta 2 (11-July-2015)
- CHANGED: Updated dnsmasq to 2.73 RC9 (backport from GPL 6975)
- CHANGED: Updated odhcp6c to newer version (backport from GPL 6975)
- CHANGED: Updated openssl to 1.0.2d (fixes CVE-2015-1793, only present
in Beta 1 - 54_2 was not affected)
- CHANGED: Display existing key/certs on the OpenVPN pages once
they've been migrated to JFFS.
- FIXED: Time scheduler-related features (Parental Control & Wifi
scheduler) were broken (backported fix from Asus's GPL 6975)
(beta 1 regression)
- FIXED: QTN firmware was still being copied to RAM rather than rely
on the symlink to flash added in Beta 1, to save 4 MB of RAM.
(AC87U)
- FIXED: Dropbox cloud sync would fail on some setups (backport
from GPL 6975)
- FIXED: Entware-setup script would generate an invalid services-start
script
- FIXED: Duplicate zoneedit entry on the DDNS service list.
378.55 Beta 1 (3-July-2015)
- NEW: Merged with GPL 6117. Notable changes from Asus:
o New token-based webui authentication (more secure)
o OpenVPN certificates moved to JFFS2, saving nvram.
key/cert fields will show up empty on the webui,
any new key/cert you paste will be written back
to /jffs/openvpn/ . This means that if you revert
back to a previous version, your key/certs will
no longer be in nvram, so OpenVPN instances will
fail to start.
o New network client list on the network map
o CTF support for PPTP/L2TP WAN (Russian ISPs) (ARM)
- NEW: Reformatted DHCP lease list under System Log.
- NEW: Reformatted Port Forward page under System Log.
- NEW: Reformatted Route Table page under System Log.
- NEW: Reformatted IPv6 Status page under System Log.
- NEW: Display more details about UPNP/NAT-PMP/PCP redirections
on the Port Forward page.
- CHANGED: The JFFS2 partition is now always enabled, as it is
required by various firmware functions. The options
to format it or to enable/disable user config/scripts
remain configurable.
- CHANGED: Updated OpenVPN to 2.3.7.
- CHANGED: Updated OpenSSL to 1.0.2c.
- CHANGED: Use a pre-generated 2048-bit DH from RFC 3526 instead of
generating our own when doing the first time setup for
OpenVPN servers. This is necessary as openssl 1.0.2b and
up now reject 512-bit DHs, and generating a 1024-bit
would take far too long on a router.
The end-user still has the possibility of providing his
own - as long it's 1024-bit or stronger.
- CHANGED: Updated minidlna to upstream Git snapshot from 2015-06-26,
and switched to the newer build system.
- CHANGED: Upgraded ffmpeg from 0.6.0 to 0.7.17.
- CHANGED: Accept DHCP lease duration of up to 31 days on the DHCP page
- CHANGED: No longer regularly flush caches from memory on ARM
router. This will mean a lower amount of free memory is
shown, however that memory gets freed whenever something
actually needs it, so this is normal. (ARM)
- CHANGED: Display the size of cache memory on the Tools -> Sysinfo page
- CHANGED: Improvements to the Networkmap (ability to remove an entry,
removed the alert() from modifying an existing entry)
- CHANGED: Save over 4 MB of RAM on the RT-AC87U by not copying
the QTN firmware to RAM (RT-AC87)
- FIXED: Wireless Log page would fail to load if the SSID
contained certain characters
- FIXED: Wireless Log page would fail to load when in Media Bridge
mode on the RT-AC87U
- FIXED: DDNS page would complain about an empty account field
when setting it to CUSTOM with no prior value in that field.
- FIXED: Automatically generated DH was too weak (512-bit) and
preventing clients based on newer OpenSSL releases from
connecting. We automatically replace any weak PEM with our
2048-bit one.