Hi Karl, According to all official statements (and acknowledged by the reporting researcher) lastest builds on all release channels now address all (3) documented vulnerabilities. An earlier release (around April 2) did not include patch for CVE-2018-19298, which is probably the one referred in forum posts. Further along that thread, Isalski confirms corrected behaviour. Hope it helps ease concerns! :-} Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Wednesday, 10 April 2019 11:22 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] UKNOF 43 CVE
On Fri, 2019-04-05 at 10:11 +1100, Mike Everest wrote:
Apologies to any who consider it noise :-} MikroTik have released patches addressing IPv6 memory depletion bug in bugfix/long-term and stable release channels.
The abovementioned fix appears to address only CVE-2018-19298.
So has anyone checked to see whether the patched ROS is now not vulnerable to CVE-2018-19299? Isalski says it is, but doesn't mention actual ROS versions.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556 Old fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au