v6.44.5 [long-term] is released!

RouterOS version 6.44.5 has been released in public “long-term” channel!

Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What’s new in 6.44.5 (2019-Jul-04 10:32):

MAJOR CHANGES IN v6.44.5:

!) security - fixed vulnerabilities CVE-2018-1157, CVE-2018-1158;
!) security - fixed vulnerabilities CVE-2019-11477, CVE-2019-11478, CVE-2019-11479;
!) security - fixed vulnerability CVE-2019-13074;

Changes in this release:

*) bridge - correctly handle bridge host table;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) capsman - fixed interface-list usage in access list;
*) certificate - removed “set-ca-passphrase” parameter;
*) cloud - properly stop “time-zone-autodetect” after disable;
*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);
*) defconf - automatically set “installation” parameter for outdoor devices;
*) dhcpv6-client - fixed status update when leaving “bound” state;
*) dhcpv6-server - fixed dynamic IPv6 binding without proper reference to the server;
*) dhcpv6-server - override prefix pool and/or DNS server settings by values received from RADIUS;
*) discovery - fixed CDP packets not including address on slave ports (introduced in v6.44);
*) e-mail - properly release e-mail sending session if the server’s domain name can not be resolved;
*) firewall - fixed fragmented packet processing when only RAW firewall is configured;
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
*) gps - strip unnecessary trailing characters from “longtitude” and “latitude” values;
*) hotspot - moved “title” HTML tag after “meta” tags;
*) ipv6 - improved system stability when receiving bogus packets;
*) ovpn - added “verify-server-certificate” parameter for OVPN client (CVE-2018-10066);
*) rb3011 - improved system stability when receiving bogus packets;
*) rb921 - improved system stability (“/system routerboard upgrade” required);
*) snmp - improved reliability on SNMP service packet validation;
*) ssh - fixed non-interactive multiple command execution;
*) supout - added IPv6 ND section to supout file;
*) supout - added “pwr-line” section to supout file;
*) supout - changed IPv6 pool section to output detailed print;
*) winbox - do not allow setting “dns-lookup-interval” to “0”;
*) wireless - improved DFS radar detection when using non-ETSI regulated country;
*) wireless - improved installation mode selection for wireless outdoor equipment;
*) wireless - updated “china” regulatory domain information;
*) www - improved client-initiated renegotiation within the SSL and TLS protocols (CVE-2011-1473);

For a full changelog please visit https://mikrotik.com/download/changelogs

To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this specific RouterOS release.

There is critical issue for me, firewall input chain with drop action on invalid connection state now drops incoming EoIP packets with no reason.

Isn’t EoIP using GRE?

*) conntrack - fixed GRE protocol packet connection-state matching (CVE-2014-8160);

So make sure you’re allowing GRE before dropping invalid connections.

after upgrading from 6.43.16 to 6.44.5 ipsec dropped
/ ip ipsec identity
add peer = peer1 became one for all connections

You are right, the problem is in GRE state matching, but why EoIP tunnels is in invalid connection state now?

upgrading from 6.43.16 to 6.44.5
lost users /ip ipsec user
Where to looking for ?

Mikrotik, please, write changelogs properly! Since separating stable and long-term channels they ar incomplete, at least for long-term. Every changelog must contain all changes and fixes from previous same channel release, not from previous release by number. It will eliminate such problems, as in one of previous comments about lost /ipsec users. Yes, this change (ipsec - removed “users” menu, XAuth user configuration is now handled by “identity” menu) is mentioned in changelog, in version 6.44 stable changelog. But nothing about it in 6.44.5 long-term changelog! Yes, I am angry, months are gone and nothing changes.

karlisi, it is hard to judge about proper and improper ways for changelogs syntax. However, we will try to improve it for the next versions, thank you for the report.

It is enough to lay out the full list of changes v6.44.5 relative to 6.43.16 long-term

The [netinstall-6.44.5.zip] seems corrupted, please confirm ..thanks

Try using Mozilla Firefox to download a netinstall 6.44.5

https://download.mikrotik.com/routeros/6.44.5/netinstall-6.44.5.zip

File from 159.148.147.204 is corrupted.
https://159.148.172.226/routeros/6.44.5/netinstall-6.44.5.zip seems ok.

confirm

Your image is corrupted

Dude client 6.44.5 file size 0kb
https://download.mikrotik.com/routeros/6.44.5/dude-install-6.44.5.exe

corrected

Now it’s encrypted in cyrillic

Upgraded from 6.44.3 on rb750gr3 without issue. Everything works great.

More download issues to add to above : Dude and x86 server packages are also 0 bytes.

No issues 6.43.16 LT to 6.44.5 LT on: CCR1016, CRS125, CHR, wAP60G, RB951G, SXT5AC

It is enough to lay out the full list of changes v6.44.5 relative to 6.43.16 long-term

Exactly!