- FIXED: Security issues in httpd (backport from GPL 4180 +
additional fixes of my own)
Asuswrt-Merlin 380.64_1 is now available for all supported models.
EDIT3 (6-Jan-2017): Published 380.64_1, which contains security fixes (some from Asus's GPL 4180, and additional
ones from myself).
The main change of this release is the addition of a scheduled check for the availability of a new firmware (in
part similar to what Asus has for the stock firmware).
The highlights of this release:
New firmware availability notification. When a new firmware is available for download, there will be a flashing
icon at the top of the webui. Going to the Firmware Upgrade page will display a popup containing the changelog, and
a button that will take you directly to the download folder for your router model. You must still manually download
and flash your firmware - for security reasons, online flashing is not implemented. The automated check is run
every two days, and you can also manually launch the check from the Firmware Upgrade page (you can also select to
check for the availability of beta firmware versions). Finally, the automated check can be completely disabled,
under Tools -> Other Settings (there's also a link to that setting on the Firmware Upgrade page).
Component updates for OpenVPN, nano and curl.
Tor will now route all TCP ports, not just 80/443.
Improvements to the QoS Stats page: automatic refresh, and fixed the number rounding.
Improvements to the IPTraffic charts: slices are now sorted, and the consolidated slices will always be the least
Download Master installers has been removed from the firmware image for models that still contained them. The
latest packages are always downloaded from Asus' servers at DM's install time. This results in smaller firmware
images for some models (for instance, the RT-AC88U firmware went from 44 MB to 33 MB)
Security enhancements to the webui, to better protect against cross-site attacks (backport from Asus's 4164 GPL)
Webui fixes specific to Firefox (popup linked to the App icon at the top now works, JS errors when accessing the
client list under certain situations was fixed)
Fixes to the .ovpn config file import (crash on invalid key/certs, misconfigured HMAC setting)
As usual, please review the Changelog for the complete list of changes.