Critical PPP daemon flaw: Plugin Updates not available for GL-MV1000 / Brume


As you wrote here:

… we need to update our gl.inet-Devices.

But after deletion there are no updated versions of “ppp” and “ppp-mod-pppoe” available.
Only the old insecure versions.
The “Update all plugins”-button does not change this, neither does a reboot of the router.
(screenshots from Brume-Admin-Interface, using v.3.102):
So: Where do we get the updated Plugin-Versions of ppp and ppp-mod-pppoe?
Bildschirmfoto 2020-04-12 um 09.01.26

After further investigation (could update slate and ar-750 to updated secure plugins wit no problem, both using standard “release” Firmware) I noticed:
This issue relates to this one mentioned here:

For gl.iNet mv-1000/Brume, there is no updated/secure list of plugins?
Can you please confirm & give an option to update those plugins?

I thought the problem concerned the pre-release"testing" firmware of mv-1000/Brume.
So I reinstalled the official “release”-Firmware … but even then: The Plugins-list does not reflect the secure versions necessary (2.4.7-13)

Thanks for a reply

You should know that the ppp daemon is only used if you connect to an ISP and use something like PPPoE directly on the router via for example a DSL line. If you are using a gateway at home from your ISP, that one is already configured and your GL router will not use the ppp daemon at all.

So this vulnerability does not affect most people. You can completely remove the ppp package and you will notice the router still works fine.

Thanks @Johnex
So I just uninstal ppp & ppp-mod-pppoe

Still: would be nice to have the updated/secure list of plugins on the Brume :wink: just for paranoid-stress-relief