1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fix CVE-2014-0160 without flash?

Discussion in 'Tomato Firmware' started by jan.n, Apr 8, 2014.

  1. jan.n

    jan.n Addicted to LI Member

    Hi all,

    I have a RT-N66U running on Shibby 109, the motd reads "Tomato v1.28.0000 MIPSR2-109 K26 USB AIO-64K". This has OpenSSL 1.0.1c and as such, is vulnerable to CVE-2014-0160.
    I understand that the RT-N branch is EOL and I must use the RT-AC branch. However, there hasn't been any activity in git lately, and the latest versions to download are 116-PL (April 1st) and 116-EN (January 10).

    I do not expose any services and my router is only accessible via ssh with a private key and a complex password, so there no immediate action is required. I'd like to upgrade nontheless.

    My questions are:
    1) I'd like to stick to Shibby's image, is he still active?
    2) Is it possible to fix the CVE-2014-0160 without flashing a new firmware?
    3) What's the most actively developed Tomato firmware?
  2. Mangix

    Mangix Networkin' Nut Member

    1: yes. He does not always push to git though. You just need patience.
    2: No. Just add -DOPENSSL_NO_HEARTBEATS to the OpenSSL Makefile. Compiling is not difficult.
    3: Shibby

Share This Page