Fix CVE-2014-0160 without flash?

Discussion in 'Tomato Firmware' started by jan.n, Apr 8, 2014.

  1. jan.n

    jan.n LI Guru Member

    Hi all,

    I have a RT-N66U running on Shibby 109, the motd reads "Tomato v1.28.0000 MIPSR2-109 K26 USB AIO-64K". This has OpenSSL 1.0.1c and as such, is vulnerable to CVE-2014-0160.
    I understand that the RT-N branch is EOL and I must use the RT-AC branch. However, there hasn't been any activity in git lately, and the latest versions to download are 116-PL (April 1st) and 116-EN (January 10).

    I do not expose any services and my router is only accessible via ssh with a private key and a complex password, so there no immediate action is required. I'd like to upgrade nontheless.

    My questions are:
    1) I'd like to stick to Shibby's image, is he still active?
    2) Is it possible to fix the CVE-2014-0160 without flashing a new firmware?
    3) What's the most actively developed Tomato firmware?
  2. Mangix

    Mangix Networkin' Nut Member

    1: yes. He does not always push to git though. You just need patience.
    2: No. Just add -DOPENSSL_NO_HEARTBEATS to the OpenSSL Makefile. Compiling is not difficult.
    3: Shibby
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice