7.23.2 [stable] is released!

That is of course easy. But what if you are at 7.22.x because of the IPv6 RA bug introduced in 7.23?

Then I can't help You. I'm posting the sucessful upgrade just so people with simple setups know, since this looks like more a security fix than a new release to me.

I Agree with you!
A minimum of transparency is needed.
"PPP" service could mean:

  1. PPPoE server/client
  2. PPTP server/client
  3. L2TP server/client
  4. SSTP server/client
  5. OpenVPN server/client

Considering the previous text of CVE (that one hidden/edited) did not mention anything about wireguard, and jus explicit reference to PPP.
I believe no. Wireguard is not afected.

RB5009 with a simple typical home config (vlan - wireguard - zerotier - ....) all went smooth!

Which services?

In a previous (now deleted post), @normis did mention all of PPPoE, PPTP, L2TP, SSTP, OpenVPN.

As for the "server/client" or only "server" or only "client" part: If we trust this statement:

then we can probably exclude anything "client" because the use of PPPoE client is very common for home user configs (it's one of the supported QuickSet options). Logic dictates that only the "server" part is affected.

There's nothing to be sorry about. Mikrotik should be sorry about "stringing us along" after fix is already out.

@normis As ISO 27001-certified organizations, you have a duty to inform us, your customers, about any vulnerabilities found in your products. Otherwise, it’s just a piece of paper.

After updating my MikroTik hAP ax² to firmware version 7.23.2, everything is working perfectly. Thank you!

Applied to RB5009 and wAP AX both previously running 7.23.2.

Safari seems snappier.

PPP bug sounds serious.

I had some issues updating a 4011 from previous patch version 7.23.1. Router is using pppoe client and it didn’t get the dynamic IP after rebooted. PPPoE client was running, with “R” flag on it, but IP > address was not populated, neither default route. After disable/enable interface, all good.

Anyone facing the same issue? Never had this before.

No, it works ok for me on the same device and upgrade.

I’d be willing to bet their legal team disagrees with you.
If you compare the information at https://mikrotik.com/supportsec with what’s at https://app.opencve.io/cve/?vendor=mikrotik, the discrepancy is glaring.

Just looking at 2023 onwards...
I think it’s safe to say that any CVEs not on MikroTik’s officially recognized list are still indirectly mentioned somewhere in the release notes regarding fixes—even if the CVE itself isn't explicitly named.

From what a friend living there explained to me, this is a cultural trait of Eastern European companies.
It likely has to do with legal strategies aimed at avoiding liability.

Has anything changed around using absolute FQDNs (ie with a trailing dot) in 7.21/7.22/7.23?

We plan to upgrade a bunch of CPEs from 7.15 to 7.2x, so we have done some quick preliminary testing with 7.23. Among other things, absolute FQDNs no longer seems to work:

# Absolute FQDN with trailing dot fails
[A@E7B401] > :put [:resolve xxx.yyy.com.]
failure: bad name

# Normal FQDN without trailing dot works
[A@E7B401] > :put [:resolve xxx.yyy.com]
nnn.nnn.nnn.nnn

Is there some system option that needs to be enabled now, or am I missing something obvious?

When I first connect a device that has just been upgraded to 7.23.2, the Winbox 4.2rc shows "RouterOS 7.23.1 available" in the status bar. Disconnecting and re-connecting sometimes fixes that, but not always. Winbox has to be completely closed and re-opened to completely fix it.

"Best" thing this might eventually lead to can be getting a reputation of "unverified security practices" or "questionable security practices". Liability can be avoided, but reputation is completely different matter.

found on reddit:

https://www.reddit.com/r/mikrotik/s/IczdxLydYW

Thanks! That's exactly how MT should've reported it in parallel to the release.

Instead the went for information hiding. I even would prefer "improved stability" instead of that weird, calming sentence. "sure, home users are not affected. At least the ones not using ppp service. but nevertheless, dear admin, please upgrade even if you maybe are not probably affected eventually."

Fact that this had to be posted somewhere else by someone else does not put Mikrotik in any sort of positive light here...