Hi, we are taking vulnerabilities very seriously, and resinOS host OS updates are a core to our commitment of keeping your devices secure (see for example Beta testers: resinOS 2.x updates! ) Self-service updates are coming very soon, and the recent disclosures accelerated that process as well, to make sure everyone can be covered properly.
For dnsmasq, the recent announcement affecting wpa_supplicant, etc, are being applied to meta-resin, which is the repository from where resinOS is created. Those fixes should be in the next release of resinOS.
We are building a more transparent process of tracking CVE’s and other disclosures, so it can be easier to see what’s affected and what’s not affected. There’s a security whitepaper coming out soon too, that has more information to clarify stance and show our designs and the decisions that went into those designs.
Having said all that, resinOS is open source, so both you building your own (not having to, but have a choice to do), or sending patches are very welcome.
Is this a good start of this conversation? Please do not hesitate to let us know any issues or queries you have about security or otherwise.