The OpenWrt code is now so out of date that the OpenWrt team is no longer providing new patches for the 18.06.x code base.
Recently Alzhao posted:
alzhao
(Why is OpenWRT version in gl-inet routers is a year old? - #2 by alzhao)
The firmware is always based on older openwrt version. Nothing wrong with that.
Security patches will be applied if found.
But this does not seem true, as according to the OpenWrt team there are 7 CVEs with dnsmasq:
Although dnsmasq is used in all GL iNet routers, there have been no patches released by the GL-iNet team for any product running the latest 3.105 or earlier firmware, and there is no pinned posting about the security issue with a list of possible work-arounds. We are all at risk, and NO ONE is getting any support on this security issue. The only thing we can do is wait until the 3.20x code is released and probably deal with a bunch of new bugs so we can get this critical issue fixed.
I am also not optimistic in GL-iNet ever taking security issues seriously with their products. Features before security! Here is another old bug that has yet to be patched: [BUG] 'Override DNS Settings for All Clients' opens up Port 53 to the WAN