RouterOSのcurrentブランチがアップデートしました。今回はVault7関連で6.38.4から日をおかずのアップデートになります。
6.38.5はVault7で発見された脆弱性対応が含まれています。
What's new in 6.38.5 (2017-Mar-09 11:32): !) www - fixed http server vulnerability; What's new in 6.38.4 (2017-Mar-08 09:26): *) chr - fixed problem when transmit speed was reduced by interface queues; *) dhcpv6-server - require "address-pool" to be specified; *) export - do not show "read-only" IRQ entries; *) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading; *) firewall - do not allow to set "time" parameter to 0s for "limit" option; *) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files); *) hotspot - show Host table commentaries also in Active tab and vice versa; *) ike1 - fixed “xauth” Radius login; *) ike2 - also kill IKEv2 connections on proposal change; *) ike2 - always limit empty remote selector; *) ike2 - fixed proposal change crash; *) ike2 - fixed responder subsequent new child creation when PFS is used; *) ike2 - fixed responder TS updating on wild match; *) ipsec - deducted policy SA src/dst address from src/dst address; *) ipsec - do not require "sa-dst-address" if "action=none" or "action=discard"; *) ipsec - fixed SA address check in policy lookup; *) ipsec - hide SA address for transport policies; *) ipsec - keep policy in kernel even with bad proposal; *) ipsec - kill ph2 on policy removal; *) ipsec - updated/fixed Radius attributes; *) irq - properly detect all IRQ entries; *) l2tp-client - fixed IPSec policy generation after reboot; *) l2tp-client - require working IPSec encryption if "use-ipsec=yes"; *) lcd - show fan2 speed only if it is available; *) profile - classify ethernet driver activity properly in ARM architecture; *) snmp - added SSID to CAPsMAN registration table; *) snmp - fixed "/tool snmp-get" crash on session timeout; *) snmp - fixed CAPsMAN registration table OID print; *) snmp - fixed situation when SNMP could not read "/system health" values after reboot; *) userman - allow access to User Manager users page only through "/user" URL; *) userman - show warning when no users are selected for CSV file generation; *) winbox - do not hide "power-cycle-after" option; *) winbox - hide advertise tab in Hotspot user profile configuration if "transparent-proxy" is not enabled; *) winbox - make "power-cycle-interval" not to depend on "power-cycle-ping-enabled" in PoE settings; *) winbox - properly show BGP communities in routing filters table filter; *) wireless - fixed scan tool stuck in background; *) wireless - improved compatibility with Intel 2200BG wireless card;
IKE・IPsec周りの修正が主な修正内容になります。
CHR(Clound Hosted Router)を使用している人は、転送速度の改善が含まれているので、更新するのが良いと思います。
手元の環境で更新して見た限りでは、Tile/mipsbe/ppc/armの環境では問題なく動作しております。とはいえ、先日のRCブランチで久しぶりの疎通が不可になる問題が発生したこともあるので、できれば、テスト環境での適用をしたほうが良いと思います。
