McSea Posted July 9, 2019 · Report post RouterOS version 6.44.5 has been released in public "long-term" channel!Before an upgrade:1) Remember to make backup/export files before an upgrade and save them on another storage device;2) Make sure the device will not lose power during upgrade process;3) Device has enough free storage space for all RouterOS packages to be downloaded.What's new in 6.44.5 (2019-Jul-04 10:32):MAJOR CHANGES IN v6.44.5:----------------------!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;!) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;!) security - fixed vulnerability CVE-2019-13074;----------------------Changes in this release:*) bridge - correctly handle bridge host table;*) capsman - fixed CAP system upgrading process for MMIPS;*) capsman - fixed interface-list usage in access list;*) certificate - removed "set-ca-passphrase" parameter;*) cloud - properly stop "time-zone-autodetect" after disable;*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);*) defconf - automatically set "installation" parameter for outdoor devices;*) dhcpv6-client - fixed status update when leaving "bound" state;*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;*) firewall - fixed fragmented packet processing when only RAW firewall is configured;*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;*) gps - strip unnecessary trailing characters from "longtitude" and "latitude" values;*) hotspot - moved "title" HTML tag after "meta" tags;*) ipv6 - improved system stability when receiving bogus packets;*) ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066);*) rb3011 - improved system stability when receiving bogus packets;*) rb921 - improved system stability ("/system routerboard upgrade" required);*) snmp - improved reliability on SNMP service packet validation;*) ssh - fixed non-interactive multiple command execution;*) supout - added IPv6 ND section to supout file;*) supout - added "pwr-line" section to supout file;*) supout - changed IPv6 pool section to output detailed print;*) winbox - do not allow setting "dns-lookup-interval" to "0";*) wireless - improved DFS radar detection when using non-ETSI regulated country;*) wireless - improved installation mode selection for wireless outdoor equipment;*) wireless - updated "china" regulatory domain information;*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473); Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
McSea Posted July 9, 2019 · Report post Обратите внимание на *) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160); Теперь обязательно нужны правила, разрешающие GRE, иначе туннели, использующие этот протокол, не будут работать. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
gard Posted July 9, 2019 (edited) · Report post Что-то все равно страшно... с 6.43 то.. Особо после первых двух пунктов в "Before an upgrade" Edited July 9, 2019 by gard Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
prolan Posted July 9, 2019 · Report post Before an upgrade вроде как общие рекомендации, при обновлении на любую версию. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
WideAreaNetwork Posted July 9, 2019 · Report post 53 минуты назад, prolan сказал: при обновлении на любую версию. я бы добавил - любого продукта Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
seregaelcin Posted July 29, 2019 · Report post В 09.07.2019 в 15:58, McSea сказал: Обратите внимание на *) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160); Теперь обязательно нужны правила, разрешающие GRE, иначе туннели, использующие этот протокол, не будут работать. Кстате у кого pptp клиент достаточно будет в /ip firewall service-port включить pptp, ну или прокидывать gre Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...