v6.49.7 [stable] is released!

Announcements
1

RouterOS version 6.49.7 has been released in public “stable” channel!
Before an upgrade:

  1. Remember to make backup/export files before an upgrade and save them on another storage device;
  2. Make sure the device will not lose power during upgrade process;
  3. Device has enough free storage space for all RouterOS packages to be downloaded.

What’s new in 6.49.7 (2022-Oct-11 17:37):

*) branding - fixed execution of “autorun.scr” file when installing branding package (introduced in v6.47);
*) routerboot - prevent enabling “protected-routerboot” on unsupported factory firmware versions;
*) routerboot - properly reset system configuration when protected bootloader is enabled and reset button used;
*) system - improved handling of user policies;
*) wireless - fixed disconnection of connected client while running background scan on wAP ac and wAP R ac devices;
*) wireless - fixed missing wireless interface on some RB921GS-5HPacD devices;

To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device

Please keep this forum topic strictly related to this particular RouterOS release.

v6.49.6 [stable] is released!
v6.49.13 [stable] is released!
2

Is this release affected by those:

CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans (max 256 byte overwrite) (RCE)
CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free use after free condition (RCE)
CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs ref counting use-after-free possibilities (RCE)
CVE-2022-42721: wifi: cfg80211: avoid nontransmitted BSS list corruption list corruption, according to Johannes will however just make it endless loop (DOS)
CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device NULL ptr dereference crash (DOS)

3

Did you check that these CVE are for 5.x kernel (checked 3 of them)? ROS 6.xx is based on older kernel and wifi drivers are made by Mikrotik

4

ROS 6.x is not dead :slight_smile:

5

is not dead :slight_smile:

6

*) system - improved handling of user policies;

What exactly was improved? I personally have not experienced any problems with user policies

7

Posted into new thread.

8

screenshot of my firewall filter rule log.

https://ibb.co/02VB6zK

9

@nabeelryk

What is wrong with your log
You have extra features added on your log

10

Yes i turned on firewall filter rule log.

/ip firewall filter
add action=accept chain=input comment=\
    "Accept telnet SSH api api-ssl Ports on Home / Management Only" dst-port=\
    8291,8728,8729,21,22,23,80,443 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Accept http, https on PTCL GPON vlan" \
    dst-port=80,443,8291 in-interface=vlan12 log=yes protocol=tcp
11

Something tells me you forgot to update the other packages too, not just RouterOS…

@nabeelryk open your own topic, do not pollute this.

12

User Manager has nothing todo with NAT and firewall and access management.
So whats your point ?

Okey I open a new thread.

13

I haven’t experienced any issues, either. It may be an improvement that isn’t needed for 99.9999% of the MikroTik devices. It is likely a feature request from a particular user who uses user policies heavily.

14

Updated SXT LTE kit from 6.49.6 to 6.49.7. No new issues found so far.

15

There is a security bug that allows users with limited privileges to elevate them (“become admin”). It requires a specific setup to exist.

16

Updated my entire network successfully with no issues. Thanks for this update!!!

Regards.

17

Why is this not flagged as a security issue with an accompanying advisory?

18

No need to wake sleeping dogs…

19

Exactly… I think it was added to 6.49 as well thanks to my post: [ http://forum.mikrotik.com/t/v7-6beta-testing-is-released/160567/1 ]
But it is such a peculiar thing, that it is difficult to exploit it if there are not several prerequisites first.

20

I’m sure you discussing exploiting something that was unpatched that you did not report for your own personal gain helped motivate the change. I’m baffled how you still don’t seem to understand how negative this is.