Обновление MikroTik RouterOS v6.45.1


Производитель MikroTik обновил операционную систему RouterOS до версии 6.45.1.

Прошивку RouterOS версии 6.45.1 можно скачать с сайта http://www.mikrotik.com/download.html

В версии 6.45.1 сделаны следующие улучшения и исправления (27 июня 2019 г.):



В данной прошивке удалена совместимость со старыми версиями паролей. Если после установки версии 6.45.1 вы решите понизить прошивку до любой версии v6.43 (v6.42.12 и старше), то будут удалены все пользовательские пароли и разрешена аутентификация без пароля. После понижения прошивки обязательно защитите свой роутер, установив пароль.

Начиная с версии 6.45.1, старый метод аутентификации API больше работать не будет. Смотрите документацию для новой процедуры входа в систему: https://wiki.mikrotik.com/wiki/Manual:API#Initial_login


Важные изменения в версии 6.45.1:

  • ! dot1x - added support for IEEE 802.1X Port-Based Network Access Control; 
  • ! ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator; 
  • ! security - fixed vulnerabilities CVE-2019-13954, CVE-2019-13955; 
  • ! security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479; 
  • ! security - fixed vulnerability CVE-2019-13074; 
  • ! user - removed insecure password storage.


Остальные изменения в этом релизе:

  • bridge - correctly display bridge FastPath status when vlan-filtering or dhcp-snooping is used; 
  • bridge - correctly handle bridge host table; 
  • bridge - fixed log message when hardware offloading is being enabled; 
  • bridge - improved stability when receiving traffic over USB modem with bridge firewall enabled; 
  • capsman - fixed CAP system upgrading process for MMIPS; 
  • capsman - fixed interface-list usage in access list; 
  • ccr - improved packet processing after overloading interface; 
  • certificate - added "key-type" field; 
  • certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1); 
  • certificate - fixed self signed CA certificate handling by SCEP client; 
  • certificate - made RAM the default CRL storage location; 
  • certificate - removed DSA (D) flag; 
  • certificate - removed "set-ca-passphrase" parameter; 
  • chr - legacy adapters require "disable-running-check=yes" to be set; 
  • cloud - added "replace" parameter for backup "upload-file" command; 
  • conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160); 
  • conntrack - significant stability and performance improvements; 
  • crs317 - fixed known multicast flooding to the CPU; 
  • crs3xx - added ethernet tx-drop counter; 
  • crs3xx - correctly display auto-negotiation information for SFP/SFP+ interfaces in 1Gbps rate; 
  • crs3xx - fixed auto negotiation when 2-pair twisted cable is used (downshift feature); 
  • crs3xx - fixed "tx-drop" counter; 
  • crs3xx - improved switch-chip resource allocation on CRS326, CRS328, CRS305; 
  • defconf - added "custom-script" field that prints custom configuration installed by Netinstall; 
  • defconf - automatically set "installation" parameter for outdoor devices; 
  • defconf - changed default configuration type to AP for cAP series devices; 
  • defconf - fixed channel width selection for RU locked devices; 
  • dhcp - create dual stack queue based on limitations specified on DHCPv4 server lease configuration; 
  • dhcp - do not require lease and binding to have the same configuration for dual-stack queues; 
  • dhcp - show warning in log if lease and binding dual-stack related parameters do not match and create separate queues; 
  • dhcpv4-server - added "client-mac-limit" parameter; 
  • dhcpv4-server - added IP conflict logging; 
  • dhcpv4-server - added RADIUS accounting support with queue based statistics; 
  • dhcpv4-server - added "vendor-class-id" matcher (CLI only); 
  • dhcpv4-server - improved stability when performing "check-status" command; 
  • dhcpv4-server - replaced "busy" lease status with "conflict" and "declined"; 
  • dhcpv6-client - added option to disable rapid-commit; 
  • dhcpv6-client - fixed status update when leaving "bound" state; 
  • dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time"; 
  • dhcpv6-server - added "address-list" support for bindings; 
  • dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters; 
  • dhcpv6-server - added RADIUS accounting support with queue based statistics; 
  • dhcpv6-server - added "route-distance" parameter; 
  • dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server; 
  • dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS; 
  • discovery - correctly create neighbors from VLAN tagged discovery messages; 
  • discovery - fixed CDP packets not including address on slave ports (introduced in v6.44); 
  • discovery - improved neighbour's MAC address detection; 
  • discovery - limit max neighbour count per interface based on total RAM memory; 
  • discovery - show neighbors on actual mesh ports; 
  • e-mail - include "message-id" identification field in e-mail header; 
  • e-mail - properly release e-mail sending session if the server's domain name can not be resolved; 
  • ethernet - added support for 25Gbps and 40Gbps rates; 
  • ethernet - fixed running (R) flag not present on x86 interfaces and CHR legacy adapters; 
  • ethernet - increased loop warning threshold to 5 packets per second; 
  • fetch - added SFTP support; 
  • fetch - improved user policy lookup; 
  • firewall - fixed fragmented packet processing when only RAW firewall is configured; 
  • firewall - process packets by firewall when accepted by RAW with disabled connection tracking; 
  • gps - fixed missing minus close to zero coordinates in dd format; 
  • gps - make sure "direction" parameter is upper case; 
  • gps - strip unnecessary trailing characters from "longtitude" and "latitude" values; 
  • gps - use "serial0" as default port on LtAP mini; 
  • hotspot - added "interface-mac" variable to HTML pages; 
  • hotspot - moved "title" HTML tag after "meta" tags; 
  • ike1 - adjusted debug packet logging topics; 
  • ike2 - added support for ECDSA certificate authentication (rfc4754); 
  • ike2 - added support for IKE SA rekeying for initiator; 
  • ike2 - do not send "User-Name" attribute to RADIUS server if not provided; 
  • ike2 - improved certificate verification when multiple CA certificates received from responder; 
  • ike2 - improved child SA rekeying process; 
  • ike2 - improved XAuth identity conversion on upgrade; 
  • ike2 - prefer SAN instead of DN from certificate for ID payload; 
  • ippool - improved logging for IPv6 Pool when prefix is already in use; 
  • ipsec - added dynamic comment field for "active-peers" menu inherited from identity; 
  • ipsec - added "ph2-total" counter to "active-peers" menu; 
  • ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods; 
  • ipsec - added traffic statistics to "active-peers" menu; 
  • ipsec - disallow setting "src-address" and "dst-address" for transport mode policies; 
  • ipsec - do not allow adding identity to a dynamic peer; 
  • ipsec - fixed policies becoming invalid after changing priority; 
  • ipsec - general improvements in policy handling; 
  • ipsec - properly drop already established tunnel when address change detected; 
  • ipsec - renamed "remote-peers" to "active-peers"; 
  • ipsec - renamed "rsa-signature" authentication method to "digital-signature"; 
  • ipsec - replaced policy SA address parameters with peer setting; 
  • ipsec - use tunnel name for dynamic IPsec peer name; 
  • ipv6 - improved system stability when receiving bogus packets; 
  • ltap - renamed SIM slots "up" and "down" to "2" and "3"; 
  • lte - added initial support for Vodafone R216-Z; 
  • lte - added passthrough interface subnet selection; 
  • lte - added support for manual operator selection; 
  • lte - allow setting empty APN; 
  • lte - allow to specify URL for firmware upgrade "firmware-file" parameter; 
  • lte - do not show error message for info commands that are not supported; 
  • lte - fixed session reactivation on R11e-LTE in UMTS mode; 
  • lte - improved firmware upgrade process; 
  • lte - improved "info" command query; 
  • lte - improved R11e-4G modem operation; 
  • lte - renamed firmware upgrade "path" command to "firmware-file" (CLI only); 
  • lte - show alphanumeric value for operator info; 
  • lte - show correct firmware revision after firmware upgrade; 
  • lte - use default APN name "internet" when not provided; 
  • lte - use secondary DNS for DNS server configuration; 
  • m33g - added support for additional Serial Console port on GPIO headers; 
  • ospf - added support for link scope opaque LSAs (Type 9) for OSPFv2; 
  • ospf - fixed opaque LSA type checking in OSPFv2; 
  • ospf - improved "unknown" LSA handling in OSPFv3; 
  • ovpn - added "verify-server-certificate" parameter for OVPN client (CVE-2018-10066); 
  • ppp - added initial support for Quectel BG96; 
  • proxy - increased minimal free RAM that can not be used for proxy services; 
  • rb3011 - improved system stability when receiving bogus packets; 
  • rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset required); 
  • rb921 - improved system stability ("/system routerboard upgrade" required); 
  • routerboard - renamed 'sim' menu to 'modem'; 
  • sfp - fixed S-35LC20D transceiver DDMI readouts after reboot; 
  • sms - added USSD message functionality under "/tool sms" (CLI only); 
  • sms - allow specifying multiple "allowed-number" values; 
  • sms - improved delivery report logging; 
  • snmp - added "dot1dStpPortTable" OID; 
  • snmp - added OID for neighbor "interface"; 
  • snmp - added "write-access" column to community print; 
  • snmp - allow setting interface "adminStatus"; 
  • snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception"; 
  • snmp - fixed "send-trap" with multiple "trap-targets"; 
  • snmp - improved reliability on SNMP service packet validation; 
  • snmp - properly return multicast and broadcast packet counters for IF-MIB OIDs; 
  • ssh - accept remote forwarding requests with empty hostnames; 
  • ssh - added new "ssh-exec" command for non-interactive command execution; 
  • ssh - fixed non-interactive multiple command execution; 
  • ssh - improved remote forwarding handling (introduced in v6.44.3); 
  • ssh - improved session rekeying process on exchanged data size threshold; 
  • ssh - keep host keys when resetting configuration with "keep-users=yes"; 
  • ssh - use correct user when "output-to-file" parameter is used; 
  • sstp - improved stability when received traffic hits tarpit firewall; 
  • supout - added IPv6 ND section to supout file; 
  • supout - added "kid-control devices" section to supout file; 
  • supout - added "pwr-line" section to supout file; 
  • supout - changed IPv6 pool section to output detailed print; 
  • switch - properly reapply settings after switch chip reset; 
  • tftp - added "max-block-size" parameter under TFTP "settings" menu (CLI only); 
  • tile - improved link fault detection on SFP+ ports; 
  • tr069-client - added LTE CQI and IMSI parameter support; 
  • tr069-client - fixed potential memory corruption; 
  • tr069-client - improved error reporting with incorrect firware upgrade XML file; 
  • traceroute - improved stability when sending large ping amounts; 
  • traffic-generator - improved stability when stopping traffic generator; 
  • tunnel - removed "local-address" requirement when "ipsec-secret" is used; 
  • userman - added support for "Delegated-IPv6-Pool" and "DNS-Server-IPv6-Address" (CLI only); 
  • w60g - do not show unused "dmg" parameter; 
  • w60g - prefer AP with strongest signal when multiple APs with same SSID present; 
  • w60g - show running frequency under "monitor" command; 
  • winbox - added "System/SwOS" menu for all dual-boot devices; 
  • winbox - do not allow setting "dns-lookup-interval" to "0"; 
  • winbox - show "LCD" menu only on boards that have LCD screen; 
  • wireless - fixed frequency duplication in the frequency selection menu; 
  • wireless - fixed incorrect IP header for RADIUS accounting packet; 
  • wireless - improved 160MHz channel width stability on rb4011; 
  • wireless - improved DFS radar detection when using non-ETSI regulated country; 
  • wireless - improved installation mode selection for wireless outdoor equipment; 
  • wireless - set default SSID and supplicant-identity the same as router's identity; 
  • wireless - updated "china" regulatory domain information; 
  • wireless - updated "new zealand" regulatory domain information; 
  • www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473).
Компанія ТехноТрейд, тел.: +38 (099) 238-88-98
Друкована версія Поділіться новиною:
  • Звичайна форма
  • Facebook


Залишити коментар
Ваше ім’я: *
Ваша пошта:  

Коментар: *
Введіть символи: *
Наші партнери
© 2003–2024 «Компанія ТехноТрейд»
інтернет-магазин мережевого обладнання