Ars technica reports
on the recently disclosed OpenWRT package verification vulnerability. The
headline may be a bit overwrought, though. “These code-execution
exploits are limited in their scope because adversaries must either be in a
position to conduct a man-in-the-middle attack or tamper with the DNS
server that a device uses to find the update on the Internet. That means
routers on a network that has no malicious users and using a legitimate DNS
server are safe from attack.” It also assumes that people actually
update their routers, which seems unlikely in most cases in the real world.

Source: LWN.net – OpenWRT code-execution bug puts millions of devices at risk (ars technica)