V7.19.6 [stable] is released!

The access to "lo" and the 127.0.0.1 IP address was added only relatively recently.
Maybe not all applications really understand its use...
I have configured user-manager with the LAN IP address and it has always worked.

But... LAN IP can change, 127.0.0.1 still the same.
127.0.0.1 and lo have always existed, only lo has recently exposed

This is not changing anything, because RoS change src IP in response, which is wrong.

The answer was for @pe1chl, not for you.

@oreggin opena ticket with detailed info and supout.rif

Thanks, I already did (SUP-197297)

Does anyone know if there is an ongoing issue with BFD since 7.19.2?

Currently deploying a new 2116 on 7.19.4 and BFD for OSPF is not working.

Exact same model and config on 7.18.2, no issues.

Do you have BFD enebled for "directions" you want to have BFDed?
Please do not ask how much time it took me to find this obvious problem. Too much

image427×373 28.8 KB

Well usually there is some fix mention in changelog, and it is hard to tell for regular customer if this that fix can or can not affect security of router. And in most home setups the router is only security wall between local lan and outside world so sugestion, don’t update your router or why do you need update router, can be potentialy dangerouse.

For example from this release:

• ipv6 - fixed policy routing;
  How do i know if this fix is related to some possible security vulnerability or not?
  And there is multiple points like this.

I think users who don’t care about security will buy cheap TP link. And users who pay premium for Mikrotik expect to install each update to improve security of their devices.

I think you are first manufacurer i ever heard of to suggest users to not install latest updates and keep running outdated software.

It is often impossible to know completely for sure if a fix is remotely related to any possible security issue you might imagine.
E.g. the above would not be considered security related (it is related to routing) but when you argue deeply enough you could say a wrongly routed packet could be a security issue.
So don't expect such a mention in change notices, it would induce a liability and serve no real purpose.

@pe1chl i was reacting to this post, i find strange to sugest users to not update to latest stable release:

I would expect testing and development channel not to be sugested to use by everyone. But i don’t understand suggestion to not update every update from stable channel.

"Better is the enemy of a good" or "Not broken, do not fix it" or the expierience says that "gentle touch of a screwdriver to a stuck screw" results in a totally irreparable broken thread.

And I don't understand those, who are regularly updating without any reason. Rule of thumb: if it works, don't touch it.

Yes and than people cry when they data get encrypted by ransomware, or they credit cards number are stolen, just because they run old software with not patched vulnerabilities. Which could be prevented just by installing updates. As i mentioned above, from current change log is hard to tell for regular user if “fixed” thinks in release are security related or not. So it is better to update than be sorry later. If there was some LTS release of Router OS 7 it would be easy to stuck to it and microtik could easyli do updates even every day if they like and release to LTS only one in the while or when some important fixes are released. But in current state you can only stick to stable channel.

Your rule of thumb is nice for offline devices, but not something directly exposed to internet. Even brands like Microsoft, Apple, Google, Samsung etc. Every serious software manufacturer suggest users to use up to date software.

And even mikrotik on wiki suggest that https://wiki.mikrotik.com/Manual:Upgrading_RouterOS#:~:text=It%20is%20suggested%20to%20always%20keep%20your,Take%20a%20look%20at%20our%20new%20documentation!
“ It is suggested to always keep your RouterOS installation up to date, MikroTik always keeps adding new functionality and improving performance and stability by releasing updates.”

It's not such an obvious direct implication.
The biggest problem is that people tend to not think when they click "something" and "somewhere" thinking that they "ought to".

Yes i agree with that 100% that users cliks everywhere without thinking.

Sometimes security fixes are not declared explicitly and several months later a security announcement is made like "hey, we fixed this security hole already some versions ago.". Like here for example: https://mikrotik.com/supportsec/cve-2023-30799

*) system - improved handling of user policies;

So I would say: watch and read changelogs carefully to spot suspicious changelog items. Even when these are declared as "improved stability" or "fixed". Always check the context.

In the past, MikroTik have warned us when there was a gaping security hole. That hasn't happened that often.
In practice it is more likely that security problems are caused by users doing incorrect configuration than by problems in RouterOS software.
You cannot really compare the situation in e.g. Windows, where the user is running software that largely bases its functionality on data received from outside (like webpages, scripts, downloaded software) instead of a router that mainly just forwards packets. Therefore it is important not to break that situation e.g. by changing the firewall so remote access to the admin interface becomes available.

I agree it is a big omission that there is no feature-stable version ('long-term') that only gets updates for security, but on the other hand such availability and presence of updates could hint attackers that something was wrong and trigger attacks, just like what happens when Windows updates are released.

@tom3f
I wrote "without any reason" for a reason...

@tom3f
It's a bit odd to claim up to date SW should be used but as source you refer to wiki which is as good as dead and replaced (mostly) by Help pages already years ago.

Just an observation