[update] RouterOS 6.45.7[stable] & 6.44.6[long-term]がリリースされました。

この記事は約12分で読めます。

stableチャンネルは約2か月ぶり、long-termはなんと約4か月ぶりのアップデートとなりました。

更新内容

stable

まずはstableから。

MAJOR CHANGES IN v6.45.7:
----------------------
!) lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM;
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
----------------------

Changes in this release:

*) capsman - fixed frequency setting requiring multiple frequencies;
*) capsman - fixed newline character missing on some logging messages;
*) conntrack - properly start manually enabled connection tracking;
*) crs312 - fixed combo SFP port toggling (introduced in v6.44.5);
*) crs3xx - correctly display link rate when 10/100/1000BASE-T SFP modules are used in SFP+ interfaces;
*) crs3xx - fixed management access when using switch rule "new-vlan-priority" property;
*) export - fixed "bootp-support" parameter export;
*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
*) led - fixed default LED configuration for RBLHG5nD;
*) lte - fixed modem not receiving IP configuration when roaming (introduced in v6.45);
*) radius - fixed open socket leak when invalid packet is received (introduced in v6.44);
*) sfp - fixed "sfp-rx-power" value for some transceivers;
*) snmp - improved reliability on SNMP service packet validation;
*) system - improved system stability for devices with AR9342 SoC;
*) winbox - show SFP tab for QSFP interfaces;
*) wireless - added "canada2" regulatory domain information;
*) wireless - improved stability when setting fixed primary and secondary channels on RB4011iGS+5HacQ2HnD-IN;

long-term

次にlong-term。

MAJOR CHANGES IN v6.44.6:
----------------------
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
----------------------

Changes in this release:

*) capsman - fixed frequency setting requiring multiple frequencies;
*) capsman - fixed newline character missing on some logging messages;
*) ccr - improved packet processing after overloading interface;
*) crs312 - fixed combo SFP port toggling (introduced in v6.44.5);
*) crs328 - adjust fan speed based on SFP and CPU temperature;
*) crs3xx - correctly display link rate when 10/100/1000BASE-T SFP modules are used in SFP+ interfaces;
*) crs3xx - fixed management access when using switch rule "new-vlan-priority" property;
*) export - fixed "bootp-support" parameter export;
*) health - improved fan control on CRS3xx and CCR1016-12S-1S+r2;
*) ike2 - fixed policy port selection for responder with natted initiator;
*) ike2 - fixed traffic selector address family selection when using IPv6;
*) interface - fixed missing PWR-LINE section on PL7411-2nD and PL6411-2nD (introduced v6.44);
*) ipsec - allow inline "passphrase" parameter when importing keys;
*) ipsec - fixed minor spelling mistakes in logs;
*) led - fixed default LED configuration for RBLHG5nD;
*) ospf - fixed opaque LSA type checking in OSPFv2;
*) ospf - fixed possible busy loop condition when accessing OSPF LSAs;
*) ospf - improved "unknown" LSA handling in OSPFv3;
*) profile - added "internet-detect" process classificator;
*) radius - fixed open socket leak when invalid packet is received (introduced in v6.44);
*) sfp - fixed "sfp-rx-power" value for some transceivers;
*) smb - improved stability on x86 and CHR;
*) snmp - fixed encrypted data sequence (introduced in v6.44.5);
*) snmp - improved reliability on SNMP service packet validation;
*) ssh - accept remote forwarding requests with empty hostnames;
*) ssh - fixed carriage return presence in subsequent sessions;
*) ssh - improved remote forwarding handling (introduced in v6.44.3);
*) supout - fixed supout file generation outside of internal storage with insufficient space;
*) switch - fix port isolation for non-CRS series switch chips;
*) system - accept only valid string for "name" parameter in "disk" menu (CVE-2019-15055);
*) system - improved system stability for devices with AR9342 SoC;
*) upgrade - fixed "auto-upgrade" to use new style authentication;
*) upnp - fixed XML parsing (FG-VD-19-110);
*) watchdog - renamed "no-ping-delay" parameter to "ping-start-after-boot";
*) winbox - added "auto-erase" parameter to "Tools/SMS" menu;
*) winbox - added "https-redirect" parameter to "IP/Hotspot/Profiles menu";
*) winbox - added "revision" parameter to "System/Routerboard" menu;
*) winbox - removed "max-sms" parameter from "Tools/SMS" menu;
*) wireless - fixed basic rate reporting in snooper;
*) wireless - improved 802.11ac stability for all ARM devices with wireless;
*) wireless - improved range selection when distance set to "dynamic";
*) wireless - improved stability when setting fixed primary and secondary channels on RB4011iGS+5HacQ2HnD-IN;

解説

セキュリティ修正について

まず最初に共通するセキュリティに関する脆弱性の修正が入っています。これについては、Mikrotik blogが用意されているので、そちらを参照してください。

  • package – accept only packages with original filenames (CVE-2019-3976);
  • package – improved package signature verification (CVE-2019-3977);
  • security – fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
Package validation and upgrade vulnerability
Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnera...
DNS cache poisoning vulnerability
Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poi...

以下のバージョンから対応が入っていますので、出来る限り早いアップデートを検討し実行してください。

  • 6.45.7 [stable]
  • 6.44.6 [long-term]
  • 6.46beta59 [testing]
MikroTik RouterOS Multiple Vulnerabilities
CVE-2019-3976: Relative Path Traversal in NPK Parsing RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary dire...

新機能について

[highlight_bash]lora – added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM;[/highlight_bash]

最近発売が開始されたLoRa対応機器向けの対応が入りました。今のところすぐに日本国内で使用する機会はないと思いますが・・・

stableからですと、まずはCAPsMANについては、複数の周波数設定を行った際の設定についての修正、一部のロギングメッセージが欠けることについての修正が入っています。

他にはCRS3xxシリーズについて、SFPモジュールでのリンクレートが正しく取得できなかったことについての修正や、以前から出ていたIKE2でのキー再生成についての動作修正、SNMPサービスのパケット検証の信頼性の向上、AR9342 SoCを搭載したデバイスのシステム安定性の向上などが入っています。

long-termについては上記のものを含め、stableで先に導入さ入れたCRS3xxやCCR1016-12S-1S+r2のファン回転数制御の改善が入っています。

他にはOSPFのLSAタイプの処理改善、SSHのセッション処理や転送要求についての動作改善、などが行われています。

ダウンロードページ

MikroTik
MikroTik makes networking hardware and software, which is used in nearly all countries of the world. Our mission is to make existing Internet technolo...

公式フォーラム

v6.45.7 [stable] is released! - MikroTik
v6.44.6 [long-term] is released! - MikroTik
タイトルとURLをコピーしました