Entware offering updated openssl 1.1.1j-2 -> 1.1.1k-1

[Wallace_n_Gromit]

I noticed Entware update available from amtm:

8 open nsrum v30.4.0

ep manage Entware packages -> upd avail
- libopenssl 1.1.1j-2 -> 1.1.1k-1


awm Asuswrt-Merlin firmware 386.2.0

This begged a question in my mind.

Might I infer that if you have not updated your Merlin version to 386.2 which has updated to openssl 1.1.1k, for what ever reason, (i.e. some configuration issue that may have forced you back to a earlier Merlin version) that the updated entware package being offered will provide the same openssl 1.1.1k version/security protection on any earlier Merlin firmware version?

 

[ColinTaylor]

No. The updated openssl libraries would only be used by Entware packages, not the rest of the firmware.

 

[Wallace_n_Gromit]

No. The updated openssl libraries would only be used by Entware packages, not the rest of the firmware.

I was guessing that to be the case since even with a router updated to Merlin 386.2 the entware update to 1.1.1k was still being offered, but had to confirm. Thanx

 

[Makaveli]

Just wanted to confirm here.

So if we are on 386.2 do we update this or no?

 

[ColinTaylor]

Whether you choose to update or not isn't dependant on what firmware version you are using. It's the same decision you make when any Entware package is updated. To see what packages use it you can issue this command:

# opkg whatdepends libopenssl
Root set:
  libopenssl
What depends on root set
        openssh-sftp-server 8.4p1-4     depends on libopenssl
        bind-libs 9.17.10-1     depends on libopenssl
        bind-dig 9.17.10-1      depends on bind-libs

I can't think of a reason not to update it.