To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
What’s new in 6.38.5 (2017-Mar-09 11:32):
!) www - fixed http server vulnerability;
What’s new in 6.38.4 (2017-Mar-08 09:26):
*) chr - fixed problem when transmit speed was reduced by interface queues;
*) dhcpv6-server - require “address-pool” to be specified;
*) export - do not show “read-only” IRQ entries;
*) filesystem - implemented procedures to verify and restore internal file structure integrity upon upgrading;
*) firewall - do not allow to set “time” parameter to 0s for “limit” option;
*) hotspot - fixed redirect to URL where escape characters are used (requires newly generated HTML files);
*) hotspot - show Host table commentaries also in Active tab and vice versa;
*) ike1 - fixed “xauth” Radius login;
*) ike2 - also kill IKEv2 connections on proposal change;
*) ike2 - always limit empty remote selector;
*) ike2 - fixed proposal change crash;
*) ike2 - fixed responder subsequent new child creation when PFS is used;
*) ike2 - fixed responder TS updating on wild match;
*) ipsec - deducted policy SA src/dst address from src/dst address;
*) ipsec - do not require “sa-dst-address” if “action=none” or “action=discard”;
*) ipsec - fixed SA address check in policy lookup;
*) ipsec - hide SA address for transport policies;
*) ipsec - keep policy in kernel even with bad proposal;
*) ipsec - kill ph2 on policy removal;
*) ipsec - updated/fixed Radius attributes;
*) irq - properly detect all IRQ entries;
*) l2tp-client - fixed IPSec policy generation after reboot;
*) l2tp-client - require working IPSec encryption if “use-ipsec=yes”;
*) lcd - show fan2 speed only if it is available;
*) profile - classify ethernet driver activity properly in ARM architecture;
*) snmp - added SSID to CAPsMAN registration table;
*) snmp - fixed “/tool snmp-get” crash on session timeout;
*) snmp - fixed CAPsMAN registration table OID print;
*) snmp - fixed situation when SNMP could not read “/system health” values after reboot;
*) userman - allow access to User Manager users page only through “/user” URL;
*) userman - show warning when no users are selected for CSV file generation;
*) winbox - do not hide “power-cycle-after” option;
*) winbox - hide advertise tab in Hotspot user profile configuration if “transparent-proxy” is not enabled;
*) winbox - make “power-cycle-interval” not to depend on “power-cycle-ping-enabled” in PoE settings;
*) winbox - properly show BGP communities in routing filters table filter;
*) wireless - fixed scan tool stuck in background;
*) wireless - improved compatibility with Intel 2200BG wireless card;
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.
Would this fix address issues like I’ve seen on upgrade to 6.38.3?
I’ve had several devices get stuck in a strange mode after upgrading to 6.38.3, where ssh didn’t work, “webfig” showed “RouterOS v” (no version number) and the upgrade seemed to be in some half-failed state. In this state, System/Packages showed only the newly downloaded version, but in a “disabled” or “uninstalled” state.
Rebooting from a second partition with a slightly older RouterOS version on it and then upgrading again would make the devices work.
I strongly believe this update was released now in response to the CIA Vault 7 / Wikileaks leak that became known yesterday.
I expect we may have a further update from Mikrotik has more info about the tools used when Wikileaks makes them available for analysis but kudos to them for the fast turnaround on getting something pushed out to address this.
Can we please get confirmation on this? I’d like to get our equipment updated as soon as possible, or at least have a way to mitigate the CIA’s exploit before it gets publicly released. People are speculating that disabling the HTTP server (port 80) will fix it, but I’d like to have an official annoucement.
There’s more info in the official post basically reiterating the same thing - ensure publicly available interfaces are locked down, as more information becomes available MikroTik will post an update.
IPsec Xauth PSK NAT-T roadwarrior config (the Android-compatible one) still seems to be broken (since v6.38), phase 2 fails. Also tried on 6.38.3, 6.38.4 and 6.39rc45, same results.
Reverting to v6.37.4 (or 6.37.3 or older) removes the problem. No changes are done to the configuration.
mar/09 00:15:55 ipsec,info respond new phase 1 (Identity Protection): y.y.y.y[500]<=>x.x.x.x[29243]
mar/09 00:15:55 ipsec,info ISAKMP-SA established y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624
mar/09 00:15:55 ipsec,info XAuth login succeeded for user: ipsecuser
mar/09 00:15:55 ipsec,info acquired y.y.z.z address for x.x.x.x[24396]
mar/09 00:15:56 ipsec,error x.x.x.x failed to pre-process ph2 packet.
mar/09 00:15:59 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:02 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:05 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:08 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:11 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:14 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:17 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:20 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:16:23 ipsec,error x.x.x.x peer sent packet for dead phase2
mar/09 00:18:20 ipsec,info purging ISAKMP-SA y.y.y.y[4500]<=>x.x.x.x[24396] spi=c8dc4a12a919f674:041afe17fc36e624:fefba073.
mar/09 00:18:21 ipsec,info ISAKMP-SA deleted y.y.y.y[4500]-x.x.x.x[24396] spi:c8dc4a12a919f674:041afe17fc36e624 rekey:1
Enable ipsec debug logs, generate supout file and send it to support. If you encounter a bug contact directly support, forum is not the right way to report bugs.
RSTP on bridges still blocking traffic.
Two RB951g connected with VLANs declared on bridges. Traffic doesn’t pass while RSTP is enabled.
If it is disabled everything is fine. Going back to 6.37.4 bugfix fixes the issue. So, what is the problem?
Can anyone clear this issue? This started with 6.38. I know changes have been made regarding RSTP in 6.38
but the routers used all have the same ROS version.
I’ve updated four 951 routers with 6.38.5. Three of these had no problems, but the fourth went to a CPU load averaging 85% for no obvious (to me) reason.
It was like this from restart after upgrade until I discovered it 6 hours later. Rebooting it again fixed the problem.
Upgraded hEX-Gr3, RB2011UiAS-2HnD, couple of hAP lites, couple of hAP AC lites, mAP-2n, RB951G, couple of mAP lites and a wAP. So far no problems.
On hEX I’ve experienced something strange, but not only in this version, and sometimes PPPoE client would come up “dead” after upgrade, and I have to disable it for a while and re-enable for it to work. Next time will generate supout and send to support. Anyone seen this on this device?
WARNING: Don’t upgrade to this version (v.6.38.5) if you use CHRs !!!
All my licensed instances after the upgrade when boot:
Loading system with initrd
XZ-compressed data is corrupt
-- System halted_
I check with a fresh install of CHR in free mode… and after the upgrade… the same message. DON’T UPGARDE!!!
I hope the Mikrotik team first checks the CHR upgrades! This isn’t professional
I think so, however this is common problem, not specific to my case: check it… install a fresh 6.38.3 CHR in ESXi 6.5… then update to 6.38.5… boom! Are you sure that this isn’t a common problem?
