RouterOS 6.46 [stable]がリリースされました。

この記事は約23分で読めます。

色々と更新をサボっており大変申し訳ありません。

35日ぶりにstableがアップデートしました。

changelog

さすがにtestingで69回もの更新を重ねただけもあり、量が多いので注意です。

What's new in 6.46 (2019-Dec-02 11:16):

MAJOR CHANGES IN v6.46:
----------------------
!) lora - added support for LoRaWAN low-power wide-area network technology for MIPSBE, MMIPS and ARM;
!) package - accept only packages with original filenames (CVE-2019-3976);
!) package - improved package signature verification (CVE-2019-3977);
!) security - fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);
----------------------

Changes in this release:

*) backup - fixed automatic backup file generation when configuration reset by button;
*) backup - store automatically created backup file in "flash" directory;
*) bonding - correctly remove HW offloaded bonding with ARP monitoring;
*) bonding - properly handle MAC addresses when bonding WLAN interfaces;
*) bridge - disable/enable bridge port when setting bpdu-guard;
*) bridge - do not add bridge as untagged VLAN member when frame-types=admit-only-vlan-tagged;
*) bridge - do not add dynamically VLAN entry when changing "pvid" property for non-vlan aware bridge;
*) bridge - include whole VLAN-id in DHCP Option 82 message;
*) btest - removed duplicate "duration" parameter;
*) capsman - fixed background scan showing incorrect regulatory domain mismatch error (CAP upgrade required);
*) capsman - fixed channel auto reselection;
*) capsman - fixed MAC address detection for "common-name" parameter in certificate requests;
*) capsman - improved DFS channel switching when radar detected;
*) capsman - improved radar detection algorithm;
*) ccr - improved general system stability;
*) certificate - added progress bar when creating certificate request;
*) certificate - added support for certificate request signing with EC keys;
*) certificate - allow specifying "file-name" parameter for export (CLI only);
*) certificate - allow specifying "name" parameter for import (CLI only);
*) certificate - improved CRL updating process;
*) certificate - removed "key-size" parameter for "create-certificate-request" command;
*) chr - added support for Azure guest agent;
*) console - added bitwise operator support for "ip6" data type;
*) console - fixed "address" column width when printing DHCPv4 leases;
*) console - fixed IP conversion to "num" data type;
*) console - fixed "tobool" conversion;
*) console - properly detect IPv6 address as "ip6" data type;
*) crs1xx/2xx - allow to set trunk port as mirroring target;
*) crs3xx - correctly handle L2MTU change;
*) crs3xx - do not send pause frames when ethernet "tx-flow-control" is disabled on CRS326/CRS328/CRS305 devices;
*) crs3xx - improved interface initialization;
*) crs3xx - improved switch-chip resource allocation on CRS317-1G-16S+, CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices;
*) crs3xx - improved system stability on CRS309-1G-8S+, CRS312-4C+8XG, CRS326-24S+2Q+ devices;
*) crs3xx - remove previously set mirror-source property before changing it;
*) defconf - fixed default configuration loading on RBmAPL-2nD (introduced in v6.45);
*) defconf - require "policy" permission to print default configuration;
*) dhcpv4-client - allow empty "dhcp-options" parameter when adding new client;
*) dhcpv4-client - fixed "dhcp-options" parameter setting when adding new client;
*) dhcpv4-server - improved stability when RADIUS Interim update is sent;
*) dhcpv6-client - fixed timeout when doing rebind;
*) dhcpv6-client - properly update bind time when unused prefix received from the server;
*) dhcpv6-client - properly update IPv6 address on rebind;
*) dhcpv6-server - fixed logged error message when using "address-pool=static-only";
*) dhcpv6-server - ignore prefix-hint from client's DHCPDISCOVER if static prefix received from RADIUS;
*) dhcpv6-server - include "User-Name" parameter in accounting requests;
*) dhcpv6-server - made "calling-station-id" contain MAC address if DUID contains it;
*) dot1x - added "reject-vlan-id" server parameter (CLI only);
*) dot1x - added support for dynamic switch rules from RADIUS;
*) dot1x - added support for "mac-auth" authentication type (CLI only);
*) ethernet - automatically detect interface when using IP address for power-cycle-ping;
*) ethernet - do not enable interface after reboot that is already disabled;
*) ethernet - send requests only from ethernet interface when using MAC address for power-cycle-ping;
*) export - always export "ssid" value for w60g interfaces;
*) fetch - do not allocate extra 500KiB on SMIPS;
*) fetch - improved stability when processing large output data;
*) gps - use "serial1" as default port on RBLtAP-2HnD;
*) hotspot - fixed non-local NAT redirection to port TCP/64873;
*) hotspot - fixed RADIUS CoA "address-list" update;
*) ike1 - fixed minor spelling mistake in logs;
*) ike2 - improved CHILD SA rekey process with Apple iOS 13;
*) ike2 - improved stability when retransmitting first packet as responder;
*) ipsec - added "error" topic for identity check failure logging messages;
*) ipsec - fixed DNS resolving when domain has only AAAA entries;
*) ipsec - fixed policy "sa-src-address" detection from "local-address" (introduced in v6.45);
*) ipv6 - changed "advertise-dns" default value to "yes";
*) led - fixed default LED configuration for RBLHG-2nD and RBLHG-5HPnD;
*) log - increased log message length limit to 1024 characters;
*) lte - added support for D402 modem;
*) lte - added support for LM960A18;
*) lte - added support for Telit LM960 and LE910C1 modems;
*) lte - do not allow setting 3G and GSM modes on LTE only modems;
*) lte - fixed band setting on R11e-4G;
*) lte - fixed network registration on R11e-LTE-US;
*) lte - fixed Sierra WP7601 driver loading;
*) lte - fix "operator" names not being displayed properly;
*) lte - improved modem initialization;
*) lte - show "primary-band" only for LTE modems;
*) lte - use /128 prefix for IPv6 address on LTE interface;
*) lte - use interface from RA when "ipv6-interface=none" and IPv6 enabled;
*) ppp - added 3GPP IoT "access-technology" definitions;
*) ppp - added support for Sierra WP7601;
*) ppp - disable DTR send when using at-chat;
*) quickset - added "LTE AP Dual" mode support;
*) quickset - added "LTE APN" dropdown support;
*) quickset - fixed "LTE Band" checkbox display;
*) route - fixed area range summary route installation in VRF;
*) routerboard - fixed default CPU frequency on RB750r2 ("/system routerboard upgrade" required);
*) routerboard - fixed USB configuration export on RBLtAP-2HnD;
*) routerboard - hide "memory-frequency" parameter for RBLtAP-2HnD;
*) sniffer - allow filtering by packet size;
*) snmp - added "disabled" and "comment" parameters for communities;
*) snmp - added option to monitor "link-downs" parameter using MIKROTIK-MIB;
*) snmp - fixed "dot1dBasePort" index offset for BRIDGE-MIB;
*) snmp - fixed "ifLastChange" OID reporting for IF-MIB;
*) snmp - fixed "radio-name" (mtxrWlRtabRadioName) OID support;
*) snmp - improved interface status reporting for IfOperStatus OID;
*) snmp - improved LLDP interface returned index and type;
*) snmp - return only interfaces with MAC addresses for LLDP;
*) snmp - use "src-address" also for traps;
*) ssh - fixed output printing when "command" parameter used;
*) supout - include information from all LTE interfaces;
*) supout - removed "file" option from "/system sup-output" command;
*) switch - added "comment" property for switch vlan menu (CLI only);
*) switch - correctly update dynamic switch rule when dhcp-snooping is enabled;
*) switch - ignore "default-vlan-id" property after switch reset on RTL8367 switch chip;
*) switch - show "external" flag for bridge hosts on MT7621, RTL8367 switch chips;
*) timezone - updated time zone database to version 2019c;
*) tr069-client - added CellDiagnostics parameter support;
*) tr069-client - added LTE band and cellular technology selection parameters;
*) tr069-client - added LTE RSCP, ECNO and ICCID parameter support;
*) tr069-client - added multiple LTE monitoring parameters;
*) tr069-client - reconnect to ACS when "ConnectionRequestURL" is updated;
*) upgrade - improved auto package updating using "check-for-updates";
*) ups - improved compatibility with APC UPS's;
*) usb - general USB modem stability improvements;
*) userman - updated Authorize.Net to use SHA512 hashing;
*) w60g - added "region" setting to limit allowed frequencies (CLI only);
*) w60g - do not reset link when changing comment on station;
*) w60g - fixed "monitor" command on disabled interfaces;
*) w60g - move stations to new bridge when "put-in-bridge" parameter is changed;
*) webfig - fixed link to Winbox download;
*) winbox - added "ip-address" and stats columns in "IP/Kid-Control/Devices" menu;
*) winbox - added "public-address-ipv6" parameter to "IP/Cloud" menu;
*) winbox - added "reset-counters" button to "IP/Kid Control/Devices" menu;
*) winbox - added "tx-info-field" parameter to "Wireless/W60G" menu;
*) winbox - added "Vendor Classes" tab in "IP/DHCP Server" menu;
*) winbox - added wireless alignment LED types to "System/LEDs" menu;
*) winbox - fixed allowed range for bridge filter "new-priority" parameter;
*) winbox - fixed "CAPs Scanner" stopping;
*) winbox - fixed "cluster-id" parameter setting in "Routing/BGP/Instances" menu;
*) winbox - fixed file locking when uploading multiple files at once;
*) winbox - fixed firewall limit parameter support for rates more than 4G;
*) winbox - fixed invalid flag presence in "IP/SMB/Shares" menu;
*) winbox - fixed "Routing" menu icon presence when there is no routing package installed;
*) winbox - improved stability when transfering multiple files between multiple windows;
*) winbox - properly show timestamp in file "Creation Time" field;
*) winbox - removed "Set CA Passphrase" button from "Certificate" menu;
*) winbox - renamed "Queue Limit" to "Queue Size" for "pcq-upload-default" and "pcq-download-default" parameters;
*) winbox - replaced "kb" with "KiB" in "Tools/Packet Sniffer" menu;
*) winbox - show "Switch" menu on RBwAPGR-5HacD2HnD;
*) winbox - show "System/RouterBOARD/Mode Button" on devices that have such feature;
*) wireless - added 4 chain MCS support for 802.11n wireless protocol (CLI only);
*) wireless - added "ETSI" regulatory domain information;
*) wireless - added "indonesia4" regulatory domain information;
*) wireless - added "push-button-5s" value for "wps-mode" parameter;
*) wireless - added U-NII-2 support forRBSXTsqG-5acD, RBLHGG-5acD-XL, RBLHGG-5acD, RBLDFG-5acD, RBDiscG-5acD;
*) wireless - allow using "canada2" regulatory domain on US lock devices;
*) wireless - fixed 802.11n rate selection when managed by CAPsMAN;
*) wireless - fixed RX chain selection;
*) wireless - fixed sensor MAC address reporting in TZSP header;
*) wireless - improved 802.11ac stability for all ARM devices with wireless;
*) wireless - improved IPQ4019, QCA9984, QCA9888 wireless interface stability;
*) wireless - updated "ukraine" regulatory domain information;
*) wireless - updated "united-states" regulatory domain information;

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to [email protected]. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release

チョットした解説

セキュリティ関連

まず最初にMAJOR CHANGESとして4点の脆弱性対応が入っています。特に以下の3点については通常のユーザーへ影響があります。

  • !) package – accept only packages with original filenames (CVE-2019-3976);
  • !) package – improved package signature verification (CVE-2019-3977);
  • !) security – fixed improper handling of DNS responses (CVE-2019-3978, CVE-2019-3979);

package-元のファイル名を持つパッケージのみを受け入れます(CVE-2019-3976)、パッケージ-パッケージ署名検証の改善(CVE-2019-3977)、セキュリティ-DNS応答の不適切な処理を修正(CVE-2019-3978、CVE-2019-3979)、これらについては公式ブログで詳細な解説があるのでこちらを参照してください。

DNS cache poisoning vulnerability
Tenable has identified a vulnerability in RouterOS DNS implementation. RouterOS 6.45.6 and below is vulnerable to unauthenticated remote DNS cache poi...
Package validation and upgrade vulnerability
Tenable has identified a couple of issues with RouterOS packaging and upgrade systems. The upgrade system used by RouterOS 6.45.5 and below is vulnera...

ダウンロード先

MikroTik
MikroTik makes networking hardware and software, which is used in nearly all countries of the world. Our mission is to make existing Internet technolo...

フォーラム

v6.46 [stable] is released! - MikroTik
タイトルとURLをコピーしました