Security changes - restricting uhttpd addresses
Peter Naulls
peter at chocky.org
Tue Oct 25 13:47:38 PDT 2022
On 10/25/22 16:40, Karl Palsson wrote:
>
> Peter Naulls <peter at chocky.org> wrote:
> If they see what they want to see, then why should anyone else
> get involved in their wish fulfilment?
>
> Security review is fine, security should not be entertained, and
> certainly foisted on other people?
Karl, not sure where you're going with this. You haven't named anything
practical here, apart from suggesting ignoring it.
OpenWrt is widely used nowadays, probably more than most people expect,
security reviews like this are likely to become more common.
I think everyone bothering to read this understands the theatre aspects
of all this that I called out in my original post. Whether things should
actually be fixed (or "fixed") is certainly an open question, but if I
can save someone some future grief, or at least have the discussion,
then I might save myself or someone else some time.
That said, I think that limiting the listening ports of uhttpd is a good
idea. I hardly see any downside to it, apart from maybe adding some
complexity.
More information about the openwrt-devel
mailing list