Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jclarkw]

I notice that D-Link has finally replaced FW 1.04B11 on their support site (DIR-645, all HW versions, NA region), dated 12/4/13.  The .BIN file itself is dated 6/14/13, however, and appears identical to the one previously available through this forum.  There are currently no updated release notes since B10 on the support site, so it isn't clear exactly how B11 differs from B10.  Anyhow I guess it's once again an official release...

The earlier thread announcing release of 1.04B11 seems to have disappeared along with the link to the vulnerability that it may have addressed (I can't find that anymore).  Does anybody know if this build actually fixes that vulnerability?  Are there other important reasons for flashing it on top of B10? -- jclarkw

[FurryNutz]

Thank you for letting us know.

I'll post it when I get official information regarding it. Please be patient.

http://forums.dlink.com/index.php?topic=56969.0

[FurryNutz]

Ok, information forth coming soon and should be posted on the main site soon.

Also, got word that the 645 is now headed to EOL. 

[FurryNutz]

Release notes updated.

[jclarkw]

Release notes updated.

Thanks!

[jclarkw]

Release notes updated.

Interesting:  The only vulnerabilities listed in these release notes that were not already listed in the previous release notes for Build 10 (dated 06/11/2013) are the three fixes for "Buffer overflow" and the three for "(CSRF)."

I don't see the "Michael Messner/D-Link UPnP OS Command Injection" vulnerability listed even though Build 11 supposedly fixes it -- see http://www.exploit-download.com/search/cgi/96.  Another vulnerability reported fixed in the same site but not listed in the release is "m-1-k-3/Multiple D-Link Devices - OS-Command Injection via UPnP Interface"..  (I don't allow UPnP, so this isn't really an issue for me.)

Of potentially more concern (apparently -- I don't really understand the jargon) is the statement, also on the same site, "D-Link devices DIR-300 rev B, DIR-600 rev B, DIR-645, DIR-845, and DIR-865 suffer from a remote command injection vulnerability. The vulnerability is caused due to missing input validation in different XML parameters."  This is not reported as fixed, as far as I can tell.

There's another reference at http://www.osvdb.org/show/osvdb/94924 that might be describing one or more of the above and reports that Build 11 solves the problem.

Anyhow it appears worthwhile to flash the new build.  Agreed?  Or can you help clarify the issues?

[FurryNutz]

I'd go with upgrading man. Unless your really having troubles with what is listed in the notes, upgrading and have some peace of mind. I personally haven't experienced issues with this router other what what you have found and brought to our attention, and during its life time and I think it's still a great router. Sorry to see it go into EOL. From my understanding, unless there is any more critical issues found, no more FW will be forth coming. 


Enjoy.

[jclarkw]

...I personally haven't experienced issues with this router other what what you have found and brought to our attention, and during its life time and I think it's still a great router...

Thanks!  Maybe I'll buy another before they disappear (still available "fulfilled by" Amazon, and cheap).  I have a very old Netgear router at another location... -- jclarkw

[FurryNutz]

  Good little routers. I've enjoyed mine...