classic.ISPforum.cz

What's new in 6.3 (2013-Sep-03 12:25):

*) ssh - fixed denial of service;
*) traceroute - show mpls labels as well;
*) bug fix - sometimes some new interfaces could not be created properly any more (f.e. some pppoe clients could not connect);
*) console - added '/console clear-history' command that clears command-line
history for all users, requires 'policy' policy;
*) sstp - limit packet queue for each device;
*) RB2011L - fixed occasional gigabit switch-chip lockup;
*) user manager - will warn on 1MB and stop before reaching minimum of 500KB disk space;
*) hotspot - do not account traffic to local hotspot pages;
*) ppp, hotspot - added ability to specify where to insert rate limiting queue,
it's parent and type;
*) pptp, l2tp, sstp - allow to specify server via dns name;
*) dhcp - added ability to specify where to insert rate limiting queue;
*) www proxy - support ipv6 parent proxy;
*) webfig - fixed problem when opening quickset page country
was automaticly changed to etsi;
*) traceroute - added mtr like pinging;
*) fix queues - correct queue was not installed when last child removed;
*) fix simple queues - sometimes some simple queues would stop
working after configuration changes;
*) console - fixed issue with local variables having non-empty value
before first assignment;
*) console - fixed command ":global name" without second argument to not
create or change global variable "name", only effect is to make "name"
refer to global variable.
*) console - fixed passing local variables as argument to function;
*) RB1200 - fixed crash when receiving over l2mtu size packets
on some ethernet interfaces;

takto verzia opravuje exploit publikovany v pondelok - http://kingcope.wordpress.com/2013/09/0 ... orruption/

piti píše:takto verzia opravuje exploit publikovany v pondelok - http://kingcope.wordpress.com/2013/09/0 ... orruption/

Docela čumím že tohle opravili tak rychle

We have researched the exploitation claim in first post of the topic.

We can find no basis for this claim "Exploitation of this vulnerability will allow full access to the router device." Following these instructions will NOT allow access/control of the router and will NOT allow further efforts to enable access/control of the router.

By following the instruction for the first "sshd heap corruption”, the sshd service of the router will exit and will not restart. This is a denial of service as only a reboot of the router will make the ssh remote management service available again.

The second method that causes a crash of the sshd program also provides a denial of service as the sshd does not restart and the router requires a reboot to have sshd available. It does not allow or make it possible for further efforts to gain access/control of the router.

To protect yourself from the denial of sshd service (so that you can always use ssh):

1) For those users that do not wish to upgrade:
------------------------------------------------------
For home users that use the default firewall configuration (comes preset), there is no reason to upgrade as the default firewall does not allow access to management interfaces from the interface connected to the internet.

For network administrators that do allow ssh access to the router, it is advised to add firewall rules to restrict access to trusted ports or disable ssh management.

2) For users that would like to upgrade:
--------------------------------------------
With our planned release of RouterOS v6.3 today, this issue will be addressed. v5.26 will also be released later.

As always, the security of RouterOS is our main concern, and we continue to research bug reports.

Nevíte jestli už funguje zadávání parent proxy, které v 6.2 zmršili a stale to vyhazovalo chybu?

Takze danym exploitom trpia vsetky verzie ROS vratane 5.25 okrem v6.3, kde to je vyriesene?

spravne

RB2011L:
S verzí 6.2 jsem měl v záložce Switch dvě položky kde jedna byla Unknown a druhá Atheros 8227
S verzí 6.3 tam jsou ty položky označený jako Atheros8327 a Atheros8227

Tak uvidíme co to udělá v provozu.

tak mě konečně s touto verzí začal fungovat script, který přestal fungovat od verze 6.0. tak konečně tleskám

Ma nekdo nasazeny na x86? Budeme dnes menit UPSku, tak jestli mame jit do upgrade. Ted jedeme na 5.21

asi podle toho co na te masine delas?

QT, DHCP, mangle, fw, VLANy, IPsec, l2tp, sstp, pptp,

to bych zatim neriskoval...
dej tam v5.25 ta je stable...

tak ta jebnu 5.25ku ...

jj radsi dej 5.25. Kdyz jsem nahodil v. 6. na shaping tak mi volali lidi co maj 8M ale jelo jim to max asi 1 nebo 2M přitom QT bylo spravně ale prostě tím víc neproteko.

+ mam pocit ze ty tunely tam byly docela silne zabugovane, nicmene nesleduju moc changelogy - mozna to uz opravili...