Обновление MikroTik RouterOS v6.45.1

Производитель MikroTik обновил операционную систему RouterOS до версии 6.45.1.

Прошивку RouterOS версии 6.45.1 можно скачать с сайта http://www.mikrotik.com/download.html

В версии 6.45.1 сделаны следующие улучшения и исправления (27 июня 2019 г.):

Внимание!!!

В данной прошивке удалена совместимость со старыми версиями паролей. Если после установки версии 6.45.1 вы решите понизить прошивку до любой версии v6.43 (v6.42.12 и старше), то будут удалены все пользовательские пароли и разрешена аутентификация без пароля. После понижения прошивки обязательно защитите свой роутер, установив пароль.

Начиная с версии 6.45.1, старый метод аутентификации API больше работать не будет. Смотрите документацию для новой процедуры входа в систему: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

Важные изменения в версии 6.45.1:

• ! dot1x - added support for IEEE 802.1X Port-Based Network Access Control; 
• ! ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator; 
• ! security - fixed vulnerabilities CVE-2019-13954, CVE-2019-13955; 
• ! security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479; 
• ! security - fixed vulnerability CVE-2019-13074; 
• ! user - removed insecure password storage.

Остальные изменения в этом релизе:

• bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used; 
• bridge - correctly handle bridge host table; 
• bridge - fixed log message when hardware offloading is being enabled; 
• bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled; 
• capsman - fixed CAP system upgrading process for MMIPS; 
• capsman - fixed interface-list usage in access list; 
• ccr - improved packet processing after overloading interface; 
• certificate - added "key-type" field; 
• certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1); 
• certificate - fixed self signed CA certificate handling by SCEP client; 
• certificate - made RAM the default CRL storage location; 
• certificate - removed DSA (D) flag; 
• certificate - removed "set-ca-passphrase" parameter; 
• chr - legacy adapters require "disable-running-check=yes" to be set; 
• cloud - added "replace" parameter for backup "upload-file" command; 
• conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160); 
• conntrack - significant stability and performance improvements; 
• crs317 - fixed known multicast flooding to the CPU; 
• crs3xx - added ethernet tx-drop counter; 
• crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate; 
• crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature); 
• crs3xx - fixed "tx-drop" counter; 
• crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305; 
• defconf - added "custom-script" field that prints custom configuration installed by Netinstall; 
• defconf - automatically set "installation" parameter for outdoor devices; 
• defconf - changed default configuration type to AP for cAP series devices; 
• defconf - fixed channel width selection for RU locked devices; 
• dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration; 
• dhcp - do not require lease and binding to have the same configuration for dual-stack queues; 
• dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues; 
• dhcpv4-server - added "client-mac-limit" parameter; 
• dhcpv4-server - added IP conflict logging; 
• dhcpv4-server - added RADIUS accounting support with queue based statistics; 
• dhcpv4-server - added "vendor-class-id" matcher (CLI only); 
• dhcpv4-server - improved stability when performing "check-status" command; 
• dhcpv4-server - replaced "busy" lease status with "conflict" and "declined"; 
• dhcpv6-client - added option to disable rapid-commit; 
• dhcpv6-client - fixed status update when leaving "bound" state; 
• dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time"; 
• dhcpv6-server - added "address-list" support for bindings; 
• dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters; 
• dhcpv6-server - added RADIUS accounting support with queue based statistics; 
• dhcpv6-server - added "route-distance" parameter; 
• dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server; 
• dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS; 
• discovery - correctly create neighbors from VLAN tagged discovery messages; 
• discovery - fixed CDP packets not including address on slave ports (introduced in v6.44); 
• discovery - improved neighbour's MAC address detection; 
• discovery - limit max neighbour count per interface based on total RAM memory; 
• discovery - show neighbors on actual mesh ports; 
• e-mail - include "message-id" identification field in e-mail header; 
• e-mail - properly release e-mail sending session if the server's domain name can not be resolved; 
• ethernet - added support for 25Gbps and 40Gbps rates; 
• ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters; 
• ethernet - increased loop warning threshold to 5 packets per second; 
• fetch - added SFTP support; 
• fetch - improved user policy lookup; 
• firewall - fixed fragmented packet processing when only RAW firewall is configured; 
• firewall - process packets by firewall when accepted by RAW with disabled connection tracking; 
• gps - fixed missing minus close to zero coordinates in dd format; 
• gps - make sure "direction" parameter is upper case; 
• gps - strip unnecessary trailing characters from "longtitude" and "latitude" values; 
• gps - use "serial0" as default port on LtAP mini; 
• hotspot - added "interface-mac" variable to HTML pages; 
• hotspot - moved "title" HTML tag after "meta" tags; 
• ike1 - adjusted debug packet logging topics; 
• ike2 - added support for ECDSA certificate authentication (rfc4754); 
• ike2 - added support for IKE SA rekeying for initiator; 
• ike2 - do not send "User-Name" attribute to RADIUS server if not provided; 
• ike2 - improved certificate verification when multiple CA certificates received from responder; 
• ike2 - improved child SA rekeying process; 
• ike2 - improved XAuth identity conversion on upgrade; 
• ike2 - prefer SAN instead of DN from certificate for ID payload; 
• ippool - improved logging for IPv6 Pool when prefix is already in use; 
• ipsec - added dynamic comment field for "active-peers" menu inherited from identity; 
• ipsec - added "ph2-total" counter to "active-peers" menu; 
• ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods; 
• ipsec - added traffic statistics to "active-peers" menu; 
• ipsec - disallow setting "src-address" and "dst-address" for transport mode policies; 
• ipsec - do not allow adding identity to a dynamic peer; 
• ipsec - fixed policies becoming invalid after changing priority; 
• ipsec - general improvements in policy handling; 
• ipsec - properly drop already established tunnel when address change detected; 
• ipsec - renamed "remote-peers" to "active-peers"; 
• ipsec - renamed "rsa-signature" authentication method to "digital-signature"; 
• ipsec - replaced policy SA address parameters with peer setting; 
• ipsec - use tunnel name for dynamic IPsec peer name; 
• ipv6 - improved system stability when receiving bogus packets; 
• ltap - renamed SIM slots "up" and "down" to "2" and "3"; 
• lte - added initial support for Vodafone R216-Z; 
• lte - added passthrough interface subnet selection; 
• lte - added support for manual operator selection; 
• lte - allow setting empty APN; 
• lte - allow to specify URL for firmware upgrade "firmware-file" parameter; 
• lte - do not show error message for info commands that are not supported; 
• lte - fixed session reactivation on R11e-LTE in UMTS mode; 
• lte - improved firmware upgrade process; 
• lte - improved "info" command query; 
• lte - improved R11e-4G modem operation; 
• lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only); 
• lte - show alphanumeric value for operator info; 
• lte - show correct firmware revision after firmware upgrade; 
• lte - use default APN name "internet" when not provided; 
• lte - use secondary DNS for DNS server configuration; 
• m33g - added support for additional Serial Console port on GPIO headers; 
• ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2; 
• ospf - fixed opaque LSA type checking in OSPFv2; 
• ospf - improved "unknown" LSA handling in OSPFv3; 
• ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066); 
• ppp - added initial support for Quectel BG96; 
• proxy - increased minimal free RAM that can not be used for proxy services; 
• rb3011 - improved system stability when receiving bogus packets; 
• rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required); 
• rb921 - improved system stability ("/system routerboard upgrade" required); 
• routerboard - renamed 'sim' menu to 'modem'; 
• sfp - fixed S-35LC20D transceiver DDMI readouts after reboot; 
• sms - added USSD message functionality under "/tool sms" (CLI only); 
• sms - allow specifying multiple "allowed-number" values; 
• sms - improved delivery report logging; 
• snmp - added "dot1dStpPortTable" OID; 
• snmp - added OID for neighbor "interface"; 
• snmp - added "write-access" column to community print; 
• snmp - allow setting interface "adminStatus"; 
• snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception"; 
• snmp - fixed "send-trap" with multiple "trap-targets"; 
• snmp - improved reliability on SNMP service packet validation; 
• snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs; 
• ssh - accept remote forwarding requests with empty hostnames; 
• ssh - added new "ssh-exec" command for non-interactive command execution; 
• ssh - fixed non-interactive multiple command execution; 
• ssh - improved remote forwarding handling (introduced in v6.44.3); 
• ssh - improved session rekeying process on exchanged data size threshold; 
• ssh - keep host keys when resetting configuration with "keep-users=yes"; 
• ssh - use correct user when "output-to-file" parameter is used; 
• sstp - improved stability when received traffic hits tarpit firewall; 
• supout - added IPv6 ND section to supout file; 
• supout - added "kid-control devices" section to supout file; 
• supout - added "pwr-line" section to supout file; 
• supout - changed IPv6 pool section to output detailed print; 
• switch - properly reapply settings after switch chip reset; 
• tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only); 
• tile - improved link fault detection on SFP+ ports; 
• tr069-client - added LTE CQI and IMSI parameter support; 
• tr069-client - fixed potential memory corruption; 
• tr069-client - improved error reporting with incorrect firware upgrade XML file; 
• traceroute - improved stability when sending large ping amounts; 
• traffic-generator - improved stability when stopping traffic generator; 
• tunnel - removed "local-address" requirement when "ipsec-secret" is used; 
• userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only); 
• w60g - do not show unused "dmg" parameter; 
• w60g - prefer AP with strongest signal when multiple APs with same SSID present; 
• w60g - show running frequency under "monitor" command; 
• winbox - added "System/SwOS" menu for all dual-boot devices; 
• winbox - do not allow setting "dns-lookup-interval" to "0"; 
• winbox - show "LCD" menu only on boards that have LCD screen; 
• wireless - fixed frequency duplication in the frequency selection menu; 
• wireless - fixed incorrect IP header for RADIUS accounting packet; 
• wireless - improved 160MHz channel width stability on rb4011; 
• wireless - improved DFS radar detection when using non-ETSI regulated country; 
• wireless - improved installation mode selection for wireless outdoor equipment; 
• wireless - set default SSID and supplicant-identity the same as router's identity; 
• wireless - updated "china" regulatory domain information; 
• wireless - updated "new zealand" regulatory domain information; 
• www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473).