v6.49.8 [long-term] is released!

RouterOS version 6.49.8 has been released in the “v6 long-term” channel!
Before an upgrade:

1. Remember to make backup/export files before an upgrade and save them on another storage device;
2. Make sure the device will not lose power during upgrade process;
3. Device has enough free storage space for all RouterOS packages to be downloaded.

What’s new in 6.49.8 (2023-Jul-19 13:40):
!) ipv6 - fixed DNS server processing by IPv6/ND services (CVE-2023-32154);
*) console - updated copyright notice;
*) defconf - fixed invalid default password setting after configuration reset for 60GHz interface (introduced in v6.49.5);
*) firewall - fixed IRC NAT helper (CVE-2022-2663);
*) hotspot - improved stability when receiving bogus packets;
*) smb - fixed SMB2 file list reporting;

To upgrade, click “Check for updates” at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

So far so good on roll out on test devices/networks, no issues so far, after some more testing will start slowly rolling out to main network. Glad there was an update, I have many mipsbe devices that really can’t run V7 in production.

Updated a RB750r2 (was 6.49.6) and RB750Gr3 (was 6.49.7) to 6.49.8 without issues noted so far. Neither of those is critical.
I will update my RB4011 (currently 6.49.6) tonight when I’m home. This one is critical to my operation.

Updated RB4011 from 6.49.7 . No problems so far. Ipv6 is working like before using DHCPV6 client for prefix and adress, ND and DHCPv6 server for transmitting DNS.servers. Router advertisements on in IPV6 settings.

Thank you for the security fix.

Thanks for this update.

Upgraded successfully all my devices.

Regards.

Anyone else having issue with the date/time settings after upgrade?
My was 12h off. I had to manually set my time.
Then Enabled SNTP and added se.pool.ntp.org as servers.

MT devices don’t have RTC built in, so ROS has to “invent” an approximation to current time when it boots. After initial boot (from factory or after netinstall), ROS doesn’t have any better clue so it sets time to 1970-01-01 00:00:00. After a “normal” reboot, ROS takes time stamp of some of recent files and starts from there. Since everybody wants small number of writes to built-in storage, this means that timestamp can be old (from minutes to hours).

So when there’s a mechanism which retrieves precise time stamps (either NTP client or cloud time) and ROS has to step time (by more than some margin, with normal NTP client this is when time difference exceeds few tens of seconds), there’s a log entry - because stepping time means discontinuity in timestamps (e.g. of log entries). Seeing those in log happening a short time period after device reboot is thus normal. However, if this happens regularly or after longer uptime, this might indicate some kind of problem.

And yes, configuring and enabling (S)NTP client on ROS device is the right thing to do.

Thank you!

I not noticed that. All is working fine.

Regards.

On my ROS 7.9.1 driven RB951G I got single

may/22 12:48:52 system,critical,info ntp change time May/22/2023 12:48:52 => May/22/2023 19:21:20

about 16 seconds after booting. Seems like the log entry timestamp is the unstepped value … The time step of 6,5 hours is substantial. Another device had time step of almost 16 hours.

I think it’s much better to see such a time step early after boot than to have time offset dragging for days (or forever if device doesn’t get any time update from any source).

[edit]
I’m looking at one of ROS 6.49.8 driven devices. There I don’t see similar message. However I’m suspecting that time step does happen as well, there’s a timestamp discontinuity during later stages of boot procedure, amounting to “only” 1,5 minutes …

Hi Mikrotik,

in v6.48.9

/ipv6 route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
DST-ADDRESS GATEWAY DISTANCE
0 ADb 2001:4:112::/48 fe80::a05:e2ff:fe07:7… 20
1 Db 2001:4:112::/48 fe80::a05:e2ff:fe07:7… 20
2 ADb 2001:500:3::/48 fe80::6e3b:6bff:feec:… 20
3 Db 2001:500:3::/48 fe80::6e3b:6bff:feec:… 20

in v7.10rc
MikroTik-BGP] > /ipv6/route/print
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, g - slaac, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp
DST-ADDRESS GATEWAY DISTANCE
DAb 2001::/32 2001:f20:f000:3815:4:… 20
DAb 2001:4:112::/48 2001:f20:f000:3815:4:… 20
DAb 2001:200::/32 2001:f20:f000:3815:4:… 20
DAb 2001:200:900::/40 2001:f20:f000:3815:4:… 20
DAb 2001:200:e00::/40 2001:f20:f000:3815:4:… 20
[Q quit|D dump|down]


i have reply from support regarding this issue, with v6 i have to filter it to make global as preferred.

Can u make v6 also choose global as preference please,
because it’s not common way with other routers, it’s make our partners with other router asking why?
please make it standard/ common way without adding any additional filter

thx

Version 6 will only receive critical and security fixes. There are no plans to add general behavior adjustments or new features to it.

INFO ONLY:

MS Win 10.0.19045.3086
sigcheck -s -e -u -c .

Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

EXPIRED = A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file

Publisher, Date, Verified, Path
Mikrotikls SIA, 22.05.2023 15:44, EXPIRED, .\routeros\6.49.8\btest.exe
Mikrotikls SIA, 05.01.2012 20:21, EXPIRED, .\routeros\6.49.8\dude-install-6.49.8.exe
Mikrotikls SIA, 22.05.2023 15:45, EXPIRED, .\routeros\6.49.8\flashfig.exe
Mikrotikls SIA, 22.05.2023 15:44, EXPIRED, .\routeros\6.49.8\unpacked\netinstall.exe
Mikrotikls SIA, 01.01.1970 02:00, EXPIRED, .\routeros\6.49.8\unpacked\netinstall64.exe

Mikrotikls SIA, 23.05.2023 07:57, EXPIRED, .\routeros\6.48.7\btest.exe
Mikrotikls SIA, 05.01.2012 20:21, EXPIRED, .\routeros\6.48.7\dude-install-6.48.7.exe
Mikrotikls SIA, 23.05.2023 07:57, EXPIRED, .\routeros\6.48.7\flashfig.exe
Mikrotikls SIA, 23.05.2023 07:56, EXPIRED, .\routeros\6.48.7\unpacked\netinstall.exe
Mikrotikls SIA, 01.01.1970 02:00, EXPIRED, .\routeros\6.48.7\unpacked\netinstall64.exe

EDIT: formatting changed to not appear as an alert and appear more as an info

A file signed in the past, with a certificate that was valid at the time, but has now expired, does not mean that the file is corrupted or that the signature is forged…

You are creating Alerts for nothing…

is this version include the fix of #[SUP-92244] regarding max active session of the dude ?

thank you

P

ROS 6 CVE-2023-30799
https://nvd.nist.gov/vuln/detail/CVE-2023-30799
Actual ???

I see 6.49.8 is showing longterm, and 6.49.7 stable. Strange

6.49.8 has been promoted to the long-term channel. At the moment, for v6, the long-term and stable releases are both the same - 6.49.8. There is a little mixup with the download page which will be fixed as soon as possible.

The only difference between stable and long-term releases is the name under, for example, the “/system resources” menu.

So the vulnerability is relevant in v6.49.8 ???

If its the case, it needs to be fixed. It seems that you need a user that do have right to log inn to the router to use this vulnerability.
But I do not feel any pity for user leaving Winbox or HTTP admin gui open to the pubic.