Little security advisory. According to RPi-Foundation the Broadcom wireless chip contained in RPi 3 and Zero W is affected by the so called 'BroadPwn'' flaw (please google yourself). Cypress (formerly Broadcom) provided an updated firmware which is part of Raspbian's latest firmware-brcm80211 package which gets automatically updated on Raspbian based OMV images.
It's really just two simple files replaced (a .txt and a .bin blob). If you're affected by BroadPwn on your Raspberry it's this:
If you have the fix it looks like this:
Unfortunately on latest RPi OMV image /lib/firmware/brcm/brcmfmac43430-sdio.* is part of armbian-firmware package. So if Wi-Fi/BT is not needed a simple 'apt purge armbian-firmware' already fixes the problem. And doing an 'apt install firmware-brcm80211' makes Wi-Fi usable again with fix included. But it's important to fetch the package from archive.raspberrypi.org and not from upstream Debian repositories since there it's still the old firmware from 2016. On most recent RPi OMV image an 'apt list -a firmware-brcm80211' shows these 3 packages available:
Next problem: Kernel updates. The kernel we get with current apt source configuration is still 4.9.35 while when switching to stretch sources we would get 4.9.41 'already' (4.9.47 is latest 4.9LTS release but hey...):
By switching the archive.raspberrypi.org repo to stretch we're able to fetch latest RPi kernel update:
And now we're at 'Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l GNU/Linux'. But now also a lot of other packages are upgradeable:
And if we would start an upgrade now we get a 'nice' mixture of Raspbian and Debian armhf packages:
Get:2 http://httpredir.debian.org/debian/ jessie-backports/main e2fsprogs armhf 1.43.3-1~bpo8+1 [907 kB]Get:3 http://httpredir.debian.org/debian/ jessie-backports/main e2fslibs armhf 1.43.3-1~bpo8+1 [199 kB]Get:4 https://archive.raspberrypi.org/debian/ stretch/main libpam-modules-bin armhf 1.1.8-3.6+rpi1 [102 kB]Get:5 http://httpredir.debian.org/debian/ jessie-backports/main libcomerr2 armhf 1.43.3-1~bpo8+1 [62.5 kB]Get:6 http://httpredir.debian.org/debian/ jessie-backports/main libss2 armhf 1.43.3-1~bpo8+1 [66.0 kB]Get:7 https://archive.raspberrypi.org/debian/ stretch/main libpam-modules armhf 1.1.8-3.6+rpi1 [289 kB]Get:8 https://archive.raspberrypi.org/debian/ stretch/main libpam-runtime all 1.1.8-3.6+rpi1 [212 kB]
The OS survived a reboot but this is clearly something we want to avoid.
Since I lack sufficient experiences with apt pinning may I ask more advanced users here (hoping for @ryecoaaron How could we deal with this situation to ensure that we'll get in active OMV installations latest kernel/firmware updates from upstream archive.raspberrypi.org repo? Is it possible to switch this repo to stretch but only allow these five packages to be installed/upgraded from there?