News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Version with shellshock bug fix

Started by JohnBowler, September 25, 2014, 09:55:56 AM

Previous topic - Next topic

JohnBowler

Sherman, or whoever; I noticed a new version for the 202 was released perhaps last night.

Does this fix the shellshock bug?

Can you please advise us of the versions which fix it; it's particularly important for those of us who use Obi devices as the primary internet router (as I do).

John Bowler

OBiSupport

OBi devices and OBiTALK.com are not affected by the Shellshock / Bash vulnerability.

Thank you for your support and for being an OBi customer.

azrobert

I have an OBi200 with build 4420. If there is a new version can someone post the build number.

I have auto firmware update and OBiTalk provisioning disabled, so I don't see when a new version is available. Please keep the "Latest Firmware Updates" up to date. It shows 4350 as the latest build.

giqcass

The firmware at  http://fw.obihai.com/OBi2-latest.fw  seems to be 4350
If you download the firmware and open it with a text editor the firmware version is visible near the top of the file.
Long live our new ObiLords!

SteveInWA

4420 has been out for at least a month for the 20x and 30x series.

http://www.obitalk.com/forum/index.php?topic=8484.0

No,  I don't have the release notes.

Yes, I have been running it for a month with no problems.

Have you tried obtaining it via ***6 ?

giqcass

I checked my archive and the latest I have is OBi202-3-0-1-4420.fw.  I guess http://fw.obihai.com/OBi2-latest.fw doesn't reflect the latest firmware.
Long live our new ObiLords!

azrobert

Quote from: JohnBowler on September 25, 2014, 09:55:56 AM
I noticed a new version for the 202 was released perhaps last night.

Thanks for the comments.
I'm already running 4420. I thought the OP knew something I didn't.

Why isn't OBihai updating "Latest Firmware Updates"?
The builds listed (OBi1xx-2824 and OBi2xx-4350) are the last to support locally configured GV.
Is this why they are not updating the thread?

ceg3

#7
You guys recommending updating manually to 4350 build for an OBi200?  ***6 doesn't prompt for update.  I've never had trouble in the past, but I see people complaining about issues after updates, so I am somewhat cautious about exercising my natural inclination to get the latest.

Actually, if I look close at the link for the firmware it specifically says 202.

3.0.1 (4350) for OBi2 & OBi3 Series: http://fw.obihai.com/OBi202-3-0-1-4350.fw
Various bug fixes and enhancements

giqcass

Quote from: ceg3 on September 26, 2014, 06:33:04 AM
You guys recommending updating manually to 4350 build for an OBi200?  ***6 doesn't prompt for update.  I've never had trouble in the past, but I see people complaining about issues after updates, so I am somewhat cautious about exercising my natural inclination to get the latest.

Actually, if I look close at the link for the firmware it specifically says 202.

3.0.1 (4350) for OBi2 & OBi3 Series: http://fw.obihai.com/OBi202-3-0-1-4350.fw
Various bug fixes and enhancements

I don't recommend updating manually unless you have a reason to do it. 

The 200 and 202 use the same firmware file so if you want to update that link is fine.  Despite saying 202 it is in fact for both.
Long live our new ObiLords!

ceg3

Dang math must not be my strong suit.  I'm already running 4420 and it seems like that would be a higher build number than 4350. ::)

JohnBowler

3.0.1 (Build: 4350) is the current auto-update version.  That update appeared within a couple  of days of Sept. 26, but that seems to have been a release to fix some other problem.  It was pretty quick after the previous auto-update which is why I was worried.  4350 doesn't need (or, perhaps, want) updating.

I interpret the OBIsupport response as meaning that the 202 is using busybox sh, not bash.  I do know it is using a full version of udhcpd, both because I remember this from last time I examined the firmware and because my previously posted udhcpd hack to make the DHCP server handle host names still works.  (That hack is horribly like shellshock, but never mind.)

They don't really need a big shell like bash because most of the software is in the megaserver, and I believe it is the megaserver which is normally updated.  The megaserver implements all the VOIP support *and* a proprietary web browser, so even if they used bash the standard web browser (HTTP header) shellshock exploits probably wouldn't work.  (I know it's a proprietary web server because they do not release source code - if they had copied Apache or similar they would be obliged to release the code of the megaserver, but I've never been able to locate it.)

John Bowler