RouterOS version 6.49.13 has been released in the “v6 stable” channel!
Before an upgrade:
Remember to make backup/export files before an upgrade and save them on another storage device;
Make sure the device will not lose power during upgrade process;
Device has enough free storage space for all RouterOS packages to be downloaded.
What’s new in 6.49.13 (2024-Feb-05 15:39):
*) defconf - fixed firewall rule for IPv6 UDP traceroute;
To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download
If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device
Please keep this forum topic strictly related to this particular RouterOS release.
Why are v7 release topics renamed and used throughout 7.13.x patch releases (7.13.1, 7.13.2, etc.) but on v6 there is still a separate topic for each release. 6.49.12 (and before all 6.49.x) got its own topic and now 6.49.13.
Also: why is a new stable release made for such an irrelevant bug? According to many, “nobody uses IPv6”. Today’s end-user never uses “traceroute”. And a change in defconf will not affect people that just upgrade, only those that reset to defaults. That fact is not even mentioned in the article.
It would have been easier (and better) to publish a recommended change in the firewall rules.
So as discussed many times before: a user that never touched the default firewall rules won’t ever get this change automatically. It will stay broken until the user throws the device away or the user reviews his firewall filter rules and finds out: “hey, there was a change. need to adjust my rules.”.
Why not just auto-migrate rules with the exact comment “defconf: accept UDP traceroute” (when not modified by user)? And even when the user has modified the firewall default rule: why not just show a red alert-line in winbox/cli that warns the user: “ding ding ding! alert! outdated firewall rule! here is a link to upgrade guide: insert URL to docs here”
Or is this rule already auto-migrated on upgrade to 6.49.13?
Or at very least minimum: write better changelogs. It is easy to maintain a separate page in MT docs (maybe called: “defconf changelog”). There you can reflect the exact change with a side by side diff (before/after). So anyone can see at a glance how default config changed over version/time.
Let’s start writing proper documentation. Everyone can profit from it.
It is even worse! Most users of v6 (or those that migrated from v6) will have no IPv6 firewall AT ALL, because v6 comes with IPv6 disabled, and when you enable it (and reboot) it WILL NOT apply the default IPv6 configuration. So the firewall is empty.
Only when you reset to default config after enabling IPv6 (and also upgrading to the current version) you will get the default firewall config.
Reading the research by infabo it actually is a security issue. But as usual that was not mentioned in the release notes.
The default config, when it has been applied, opens e.g. the DNS resolver when source-port 33434-33534 is used, and it can be abused for DDoS amplification.
However, publishing an updated version will do nothing to rectify that.
*) branding - fixed execution of “autorun.scr” file when installing branding package (introduced in v6.47);
*) routerboot - prevent enabling “protected-routerboot” on unsupported factory firmware versions;
*) routerboot - properly reset system configuration when protected bootloader is enabled and reset button used;
*) system - improved handling of user policies;
*) wireless - fixed disconnection of connected client while running background scan on wAP ac and wAP R ac devices;
*) wireless - fixed missing wireless interface on some RB921GS-5HPacD devices;
A CVE score 7+ and the only mentioning is:
*) system - improved handling of user policies;
This would make me cry - if I would be a professional IT infrastructure admin.
It was an example. Generally, MikroTik do not tell us in releasenotes what “improved handing” or “improved stability” mean w.r.t. security.
That is not right… and in the case of 6.49.13 it solves a security issue only for devices shipped with 6.49.13 installed. Are there any?
(no need to repeat what I think should be done with release notes - I explained that several times already)
But there is a gap in release of the fixed ROS version “6.49.7 (2022-Oct-11 17:37)” and the blog article from 27th Jul, 2023. I don’t know why there is this time offset in fixing and announcing that something critical was fixed.
Usually such issues are fixed even before CVE is created. Thus, there is no CVE number to refer to. When there is an actual CVE available at the time of the release, then it is mentioned in the changelog. You can go through changelog history and see that by yourselves.
We do not “update” chagelogs after release, since they are usually right away re-published in many other sites and are out of our hands.
It was not critical. It requires full admin access. It’s like you own your phone and you yourself would like to jailbreak it. In this case v7 was fixed immediately, because v7 is the current version. v6 is lower priority, since it is the EOL version.
Now back to the topic. You published a new version to fix something in the default config. How do you think that publishing this new version is going to affect ANYTHING?
Should there, at minimum, not be some simple directions in the announcement article that explain what you need to change when you already have a configured router?