OpenWRT code-execution bug puts millions of devices at risk (Ars Technica)

Ars Technica reportson the recently disclosed OpenWrt package verification vulnerability. Theheadline may be a bit overwrought, though. "These code-executionexploits are limited in their scope because adversaries must either be in aposition to conduct a man-in-the-middle attack or tamper with the DNSserver that a device uses to find the update on the Internet. That meansrouters on a network that has no malicious users and using a legitimate DNSserver are safe from attack." It also assumes that people actuallyupdate their routers, which seems unlikely in most cases in the real world.