Ważna aktualizacja RouterOs (6.42.7, 6.40.9 ) – poprawki bezpieczeństwa
Zachęcamy do aktualizacji swoich Mikrotików do najnowszej wersji tj. 6.42.7, 6.40.9 ze względu na załatanie luk w bezpieczeństwie. Luki zostały określone numerami: CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159. Geneza, jak i zakres zagrożenia nie jest jeszcze znany. Wskazuje to na lukę zgłoszoną do vendora lecz jeszcze nie opublikowaną.
Luki załatane są zarówno w gałęzi RouterOS current, jak i bugfix.
Poniżej pełny changelog:
What’s new in 6.40.9 (2018-Aug-20 07:46):
MAJOR CHANGES IN v6.40.9:
!) security – fixed vulnerabilities CVE-2018-1156, CVE-2018-1157, CVE-2018-1158, CVE-2018-1159;
*) certificate – fixed “add-scep” template existence check when signing certificate;
*) defconf – fixed wAP LTE kit default configuration;
*) ethernet – improved large packet handling on ARM devices with wireless;
*) ethernet – removed obsolete slave flag from “/interface vlan” menu;
*) filesystem – fixed NAND memory going into read-only mode;
*) hotspot – fixed user authentication when queue from old session is not removed yet;
*) interface – fixed interface configuration responsiveness;
*) ipsec – fixed policies becoming invalid if added after a disabled policy;
*) ldp – properly load LDP configuration;
*) ppp – fixed “hunged up” grammar to “hung up” within PPP log messages;
*) sfp – hide “sfp-wavelength” parameter for RJ45 transceivers;
*) snmp – added remote CAP count OID for CAPsMAN;
*) supout – added “partitions” section to supout file;
*) tile – fixed Ethernet interfaces becoming unresponsive;
*) tr069-client – fixed unresponsive tr069 service when blackhole route is present;
*) userman – fixed compatibility with PayPal TLS 1.2;
*) userman – improved unique username generation process when adding batch of users;
*) winbox – added missing “dscp” and “clamp-tcp-mss” settings to IPv6 tunnels;
*) winbox – allow to specify full URL in SCEP certificate signing process;
*) winbox – by default specify keepalive timeout value for tunnel type interfaces;
*) winbox – show firmware upgrade message at the bottom of “System/RouterBOARD” menu;
*) winbox – show “scep-url” for certificates;
*) winbox – show “sector-writes” on ARM devices that have such counters;
*) winbox – show “sector-writes” on devices that have such counters;
*) winbox – show “System/Health” only on boards that have health monitoring;
*) wireless – added option to disable PMKID for WPA2;
*) wireless – enable all chains by default on devices without external antennas after configuration reset;
*) wireless – fixed packet processing after removing wireless interface from CAP settings;
*) wireless – improved client “channel-width” detection;
*) wireless – improved Nv2 PtMP performance;
*) wireless – increased stability on hAP ac^2 and cAP ac with legacy data rates;
*) wireless – updated “united-states” regulatory domain information;
