Release Asuswrt-Merlin 386.13 / 386.13_2 is now available for AC models

[Unisoft]

EDIT: 26-April-2024 386.13_2 has been released for the RT-AC86U and GT-AC2900, addressing a security issue in IPSEC (which isn't supported by the other Wifi 5 models).

Changes since 386.13_0:

386.13_2 (26-Apr-2024)
  - NOTE: This release is only available for the RT-AC86U
          and GT-AC2900.
  - UPDATED: strongswan to 5.9.13 (fixes CVE-2023-41913)

Downloaded, but the release notes were incorrect inside for 388.7. It caused "MerlinAU" add-on to not apply it if the default setting of looking at the release notes was left enabled. Obviously, you can go into add-on settings and toggle this check off.

 

[RMerlin]

Downloaded, but the release notes were incorrect inside for 388.7. It caused "MerlinAU" add-on to not apply it if the default setting of looking at the release notes was left enabled. Obviously, you can go into add-on settings and toggle this check off.

It's the first time I have my build script do both 386 and 388 at the same time, it seems it didn't include the correct changelog in the archive. I've reuploaded them now.

 

[ExtremeFiretop]

It's the first time I have my build script do both 386 and 388 at the same time, it seems it didn't include the correct changelog in the archive. I've reuploaded them now.

Thank you @RMerlin

 

[DrTurk]

Upgraded my AC86U to 13_2. No problems.

Thank you @RMerlin

 

[Unisoft]

It's the first time I have my build script do both 386 and 388 at the same time, it seems it didn't include the correct changelog in the archive. I've reuploaded them now.

Thanks @RMerlin

 

[heysoundude]

Upgraded my AC86U to 13_2. No problems.

Thank you @RMerlin

Same here…in fact, I’d go so far as to say that small update was more of an upgrade than 386.12 to .13

Now I’ve got to dig into what IPSEC and strongswan are to satisfy my curiosity.

 

[beisat]

Just as a report from my side: Since installing 386.13 on my AC68U, I have had two occasions where I could no longer access the web UI until I turned off the router. One time I noticed because one device was no longer getting an IP, but other devices on the network still were. So I wanted to manually reboot the router from the UI and couldn’t get in.

I have no idea if this is just coincidence or if it has to do with the new update.

In any case, thanks a lot for all the hard work on this great firmwares!

 

[heysoundude]

Just as a report from my side: Since installing 386.13 on my AC68U, I have had two occasions where I could no longer access the web UI until I turned off the router. One time I noticed because one device was no longer getting an IP, but other devices on the network still were. So I wanted to manually reboot the router from the UI and couldn’t get in.

I have no idea if this is just coincidence or if it has to do with the new update.

In any case, thanks a lot for all the hard work on this great firmwares!

If I was to offer an opinion, I’d suggest that your comparatively ancient hardware is showing signs of potentially being at or beyond its limit of capabilities. Perhaps it’s time for it to be put to pasture as a switch or access point or media bridge to a modern Merlin-supported Asus AX router. I’m not too far behind you with my AC86, so I’m feeling your pain at reluctantly letting an old friend go…

 

[beisat]

If I was to offer an opinion, I’d suggest that your comparatively ancient hardware is showing signs of potentially being at or beyond its limit of capabilities. Perhaps it’s time for it to be put to pasture as a switch or access point or media bridge to a modern Merlin-supported Asus AX router. I’m not too far behind you with my AC86, so I’m feeling your pain at reluctantly letting an old friend go…

Haha yeah of course that’s a valid point about the hardware, but I was just offering this as feedback to the newest fw in case anyone else reports similar issues, since it was solid with before. As mentioned, maybe it’s not even the updates fault

 

[KrypteX]

If I was to offer an opinion, I’d suggest that your comparatively ancient hardware is showing signs of potentially being at or beyond its limit of capabilities.

That's just not true and you know it.

 

[martinr]

….. As mentioned, maybe it’s not even the updates fault

Wellcome to the forum.

More than possible: there’s been the odd occasion when Merlin’s brought out a firmware update for my rock solid RT-AC68U, and I’ve put off installing it. And the very next day, for the first time in months, if not years, I’ve had to reboot the router. And my first thought was, if I had gone ahead and installed the update, I’d now be blaming it. Just another facet of Sod’s Law.

 

[heysoundude]

That's just not true and you know it.

It may or may not be true: we don't have any indication of how they use their network. but it is an old machine that has been surpassed in terms of capabilities, and that gap between what it is capable of and what they (newer models) are built to do will continue to increase. this, of course, has to be reckoned against the user's demands on the network, but in general it's pretty safe to say mobile devices that rely on the latest wifi standards get replaced every 3-5 years and that router is probably a decade old since release, and probably more...so 2 generations or more out of date.

 

[bibikalka]

Got some weirdness with Diversion, rolled my AC86U back to 386.13_0:

Diversion - Diversion 5.1.2 - the Router Ad-Blocker, April 21, 2024

I don't know. I was assuming with custom DNS you mean a third party DNS resolver. But you are using a Diversion service which is not custom. Anyway, the excerpt above is the log of Diversion trying to start a separate Dnsmasq instance for the service "Exclude devices from ad-blocking" on IP...

www.snbforums.com

 

[Squall Leonhart]

If I was to offer an opinion, I’d suggest that your comparatively ancient hardware is showing signs of potentially being at or beyond its limit of capabilities. Perhaps it’s time for it to be put to pasture as a switch or access point or media bridge to a modern Merlin-supported Asus AX router. I’m not too far behind you with my AC86, so I’m feeling your pain at reluctantly letting an old friend go…

lol, nah.

Just as a report from my side: Since installing 386.13 on my AC68U, I have had two occasions where I could no longer access the web UI until I turned off the router. One time I noticed because one device was no longer getting an IP, but other devices on the network still were. So I wanted to manually reboot the router from the UI and couldn’t get in.

I have no idea if this is just coincidence or if it has to do with the new update.

In any case, thanks a lot for all the hard work on this great firmwares!

a common occurence on any iteration of asus wrt.

 

[Natty]

I see that just over a week after 386.13_0 was released, on 2024/04/15 Asus released RT-AC66U B1 Firmware version 3.0.0.4.386_51685.
I assume given the EOL announcement this is probably the last Asus firmware release for RT-AC66U B1. It contains 8 vulnerability fixes (details here: https://www.asus.com/networking-iot...c66u-b1/helpdesk_bios/?model2Name=RT-AC66U-B1).
Question: Are the vulnerability fixes addressed in Asus 3.0.0.4.386_51685 all taken care of in Asuswrt-Merlin 386.13_0 ?

 

[KrypteX]

Question: Are the vulnerability fixes addressed in Asus 3.0.0.4.386_51685 all taken care of in Asuswrt-Merlin 386.13_0 ?

For RT-AC68U I see the following fixes from Asus in their latest 386_51685 from 2024/04/15 https://www.asus.com/networking-iot...ters/rtac68u/helpdesk_bios?model2Name=RTAC68U

- Fixed CVE-2024-3079 and CVE-2024-3080. Thanks to the contribution of swing from Chaitin Security Research Lab.
- Fixed command injection vulnerability.
- Fixed the ARP poisoning vulnerability. Thanks to the contribution of Xin'an Zhou.
- Fixed code execution in custom OVPN. Thanks to the contrubution of Jacob Baines.
- Fixed the injection vulnerability in AiCloud.
- Fixed stack buffer overflow in lighttpd. Special thanks to Viktor Edstrom.
- Fixed CVE-2023-35720
- Fixed the code execution vulnerability in AiCloud. Thanks to the contribution of chumen77.
- Fixed the XSS and Self-reflected HTML injection vulnerability. Thanks to the contrubution of Redfox Cyber Security.

Merlin's 386.13 is based on GPL 386_51997, which is newer than Asus latest version. So these vulnerability fixes should be included.
@RMerlin Am I correct with this statement?

 

[Natty]

Merlin's 386.13 is based on GPL 386_51997, which is newer than Asus latest version. So these vulnerability fixes should be included.
@RMerlin Am I correct with this statement?

@RMerlin has stated on another thread [https://www.snbforums.com/threads/current-plans-regarding-separate-version-branches.89312/page-2] that "386_51997 is the final GPL merge for these models". The assumption is that the vulnerability fixes listed by Asus for 3.0.0.4.386_51685 firmware are either included in or not relevant to 386.12 and 386.13, but assumptions can be incorrect. It would be good to know.

 

[RMerlin]

@RMerlin Am I correct with this statement?

I don't know as I have no idea what specific code changes these fixes are. Some of these aren't even relevant to Asuswrt-Merlin (such as the OpenVPN fixes - we don't use the same OpenVPN code). Asus' releases aren't linear and come from multiple parallel branches, I have absolutely no idea what code comes from what branches.

People ask me the same question over and over every time Asus issues a new release...

 

[KrypteX]

I don't know as I have no idea what specific code changes these fixes are. Some of these aren't even relevant to Asuswrt-Merlin (such as the OpenVPN fixes - we don't use the same OpenVPN code). Asus' releases aren't linear and come from multiple parallel branches, I have absolutely no idea what code comes from what branches.

So Asus have different branches for the same device? I mean, they can get a 386_51685 from several different branches, with different code involved? So which branch did you get when you received 386_51997? Was it the same branch Asus cut out 51685 from? Or another one?

If you ask me, as a developer who adheres to semver whenever I can, this is completely nuts!

 

[RMerlin]

o Asus have different branches for the same device?

Asuswrt-Merlin is not Asuswrt. I base all 386.xx models on the same code branch, because I don`t have the resources to manage 10 separate branches for a given platform. How things are done internally by Asus is only known by Asus, but the fact that different models have vastly different version numbers despite being released within a short period of time indicate they are different branches. This is why for instance they have some routers based on 3006.102.34xxx (ROG and RT models), and others like the ExpertWifi are on version 3006.102.44xxx. Those on the 44xxx branch are definitely not 6 months newer, they are just a separate code branch.

Parallel dévelopment isn't anything unusual for such a large project.