Little security advisory. According to RPi-Foundation the Broadcom wireless chip contained in RPi 3 and Zero W is affected by the so called 'BroadPwn'' flaw (please google yourself). Cypress (formerly Broadcom) provided an updated firmware which is part of Raspbian's latest firmware-brcm80211 package which gets automatically updated on Raspbian based OMV images.
It's really just two simple files replaced (a .txt and a .bin blob). If you're affected by BroadPwn on your Raspberry it's this:
root@raspberrypi:~# md5sum /lib/firmware/brcm/brcmfmac43430-sdio.*
9258986488eca9fe5343b0d6fe040f8e /lib/firmware/brcm/brcmfmac43430-sdio.bin
8c3cb6d8f0609b43f09d083b4006ec5a /lib/firmware/brcm/brcmfmac43430-sdio.txt
root@raspberrypi:~# dmesg | grep brcm
[ 3.063731] usbcore: registered new interface driver brcmfmac
[ 3.261842] brcmfmac: Firmware version = wl0: Aug 29 2016 20:48:16 version 7.45.41.26 (r640327) FWID 01-4527cfab
[ 9.624987] brcmfmac: power management disabled
If you have the fix it looks like this:
root@raspberrypi:~# md5sum /lib/firmware/brcm/brcmfmac43430-sdio.*
5f520a38ab4e943bfa1ba102f80fb2a0 /lib/firmware/brcm/brcmfmac43430-sdio.bin
9a88b55134d9f8f3ad2331b93f4b7b79 /lib/firmware/brcm/brcmfmac43430-sdio.txt
root@raspberrypi:~# dmesg | grep brcm
[ 3.079435] usbcore: registered new interface driver brcmfmac
[ 3.242599] brcmfmac: Firmware version = wl0: Aug 7 2017 00:46:29 version 7.45.41.46 (r666254 CY) FWID 01-f8a78378
[ 9.756847] brcmfmac: power management disabled
Unfortunately on latest RPi OMV image /lib/firmware/brcm/brcmfmac43430-sdio.* is part of armbian-firmware package. So if Wi-Fi/BT is not needed a simple 'apt purge armbian-firmware' already fixes the problem. And doing an 'apt install firmware-brcm80211' makes Wi-Fi usable again with fix included. But it's important to fetch the package from archive.raspberrypi.org and not from upstream Debian repositories since there it's still the old firmware from 2016. On most recent RPi OMV image an 'apt list -a firmware-brcm80211' shows these 3 packages available:
firmware-brcm80211/now 1:0.43+rpi6 all [installed]
firmware-brcm80211/jessie-backports 20161130-3~bpo8+1 all
firmware-brcm80211/oldstable 0.43 all
Next problem: Kernel updates. The kernel we get with current apt source configuration is still 4.9.35 while when switching to stretch sources we would get 4.9.41 'already' (4.9.47 is latest 4.9LTS release but hey...):
root@raspberrypi:~# grep -v '#' /etc/apt/sources.list.d/raspberry.list
deb https://archive.raspberrypi.org/debian/ jessie main
By switching the archive.raspberrypi.org repo to stretch we're able to fetch latest RPi kernel update:
sed -i 's/jessie/stretch/' /etc/apt/sources.list.d/raspberry.list
apt update
apt install firmware-brcm80211 libraspberrypi-bin libraspberrypi0 raspberrypi-bootloader raspberrypi-kernel
reboot
And now we're at 'Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux'. But now also a lot of other packages are upgradeable:
root@raspberrypi:~# apt list --upgradable
Listing... Done
device-tree-compiler/testing 1.4.4-1 armhf [upgradable from: 1.4.1-1+rpi1]
e2fslibs/jessie-backports 1.43.3-1~bpo8+1 armhf [upgradable from: 1.43.3-1~bpo8+1]
e2fsprogs/jessie-backports 1.43.3-1~bpo8+1 armhf [upgradable from: 1.43.3-1~bpo8+1]
libcairo2/testing 1.14.8-1+rpi1 armhf [upgradable from: 1.14.0-2.1+deb8u2+rpi1]
libcomerr2/jessie-backports 1.43.3-1~bpo8+1 armhf [upgradable from: 1.43.3-1~bpo8+1]
libpam-modules/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libpam-modules-bin/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libpam-runtime/testing 1.1.8-3.6+rpi1 all [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libpam0g/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libss2/jessie-backports 1.43.3-1~bpo8+1 armhf [upgradable from: 1.43.3-1~bpo8+1]
Alles anzeigen
And if we would start an upgrade now we get a 'nice' mixture of Raspbian and Debian armhf packages:
Get:1 https://archive.raspberrypi.org/debian/ stretch/main libpam0g armhf 1.1.8-3.6+rpi1 [120 kB]
Get:2 http://httpredir.debian.org/debian/ jessie-backports/main e2fsprogs armhf 1.43.3-1~bpo8+1 [907 kB]
Get:3 http://httpredir.debian.org/debian/ jessie-backports/main e2fslibs armhf 1.43.3-1~bpo8+1 [199 kB]
Get:4 https://archive.raspberrypi.org/debian/ stretch/main libpam-modules-bin armhf 1.1.8-3.6+rpi1 [102 kB]
Get:5 http://httpredir.debian.org/debian/ jessie-backports/main libcomerr2 armhf 1.43.3-1~bpo8+1 [62.5 kB]
Get:6 http://httpredir.debian.org/debian/ jessie-backports/main libss2 armhf 1.43.3-1~bpo8+1 [66.0 kB]
Get:7 https://archive.raspberrypi.org/debian/ stretch/main libpam-modules armhf 1.1.8-3.6+rpi1 [289 kB]
Get:8 https://archive.raspberrypi.org/debian/ stretch/main libpam-runtime all 1.1.8-3.6+rpi1 [212 kB]
Get:9 https://archive.raspberrypi.org/debian/ stretch/main device-tree-compiler armhf 1.4.4-1 [349 kB]
The OS survived a reboot but this is clearly something we want to avoid.
Since I lack sufficient experiences with apt pinning may I ask more advanced users here (hoping for @ryecoaaron How could we deal with this situation to ensure that we'll get in active OMV installations latest kernel/firmware updates from upstream archive.raspberrypi.org repo? Is it possible to switch this repo to stretch but only allow these five packages to be installed/upgraded from there?