alt Hacker News> Whilst this is true, it looks like OpenWRT fixed the hash truncation but not the command injection.
They did fix both AFAIK, the command injection fix is https://github.com/openwrt/asu/commit/deadda8097d49500260b17... (source: https://openwrt.org/advisory/2024-12-06).
Thanks for the correction and sorry for the mistake. I skimmed the changes but apparently not very well.