EdgeMAX EdgeRouter Security Firmware Update v2.0.8-hotfix.1

Important notes
The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using “delete system image” CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

Features
n/a
Improvements
n/a
Bugfixes
[PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in daemon (CVE-2020-8597pppd)
Known issues
[Performance] - Throughput degradation by 5-10% when comparing with v1.10.x firmware with older kernel
[VPN] - L2TP remote access VPN does not work with Android6/7 L2TP clients (but works with Android9 client). L2TP issue on Android6/7 is caused by bad IPSec implementation on Android side, workaround discussed here
[DPI] - Sometimes DPI is reporting wrong rx/tx counters
[Offloading] - On Cavium-based routers (ER, ER-Pro, ER-Lite, ER-PoE, ER-4, ER-6P, ER-12, ER-Infinity) small percentage of packets are randomly reordered. This issue was fixed in v1.10.0 firmware but it reappeared since v2.0.0 because of new Ethernet driver.
Instructions
EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

下载地址:

[ER-X, ER-10X, ER-X-SFP and EP-R6]
[ERLite-3 and ERPoe-5]
[ER-8, ERPro-8 and EP-R8]
[ER-4, ER-6P, ER-12 and ER-12P]
[ER-8-XG]

ER-e50.v2.0.8-hotfix.1.5278088.tar - md5:af9b83af58fb9bec61a97049b8d81aee - sha256:b877aa2404ec768c2000d15c2aea53205be5f64046f671ba37d67860cd582846
ER-e100.v2.0.8-hotfix.1.5278088.tar - md5:ad4a05e29ea1304607f1776636bbe982 - sha256:23672e75f05c3e0f09d861b909719c66c3a415b3cc31a411ca984828d011a03e
ER-e200.v2.0.8-hotfix.1.5278088.tar - md5:e3685f503cbf0b260d55e9c19dd1a891 - sha256:65efafc644c18f37f32af75a2435297f4a9d178ea1f759e3ac9f5698fd456f6c
ER-e300.v2.0.8-hotfix.1.5278088.tar - md5:d4b30e3821621f16f6e960d753eaf073 - sha256:cc6c28fa9cc221bfa7073523452aa95bba0fe0cd2bf935dd44749a0e28622534
ER-e1000.v2.0.8-hotfix.1.5278088.tar - md5:795f53de8c502619616ee0bc19de594c - sha256:c00eb0aa186366313a592d0fc8f91331e0a43f9f9a89b44743e631ce9ce6153e

已经更新,没发现异常。

这个固件是怎么回事?版本号还是2.08

208固件的补丁?

紧急修复安全漏洞的补丁版本,只是升级了ppp一个软件,版本不变

已经更新了,谢谢。

美国官网更新了1.10.11
Bugfixes

  • [PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in pppd daemon ( CVE-2020-8597 )
  • [IPV6] - Allow packets with TTL=0 when " hwnat offloading " is enabled. This fixes DHCPv6 problems on ER-X / ER-X-SFP / EP-R6 models. Discussed here
  • [Offloading] - Fix bug when router randomly crashed after disabling offloading on ER-Lite , ER , ER-Pro , ER-Infinity , ER-4 , ER-6P , ER-12 . Discussed here
  • [WebGUI] - Regenerate WebGUI certificate if it does not meet new iOS 13 and MacOS 10.15 requirements. Announced here
  • [IPSec] - Backport security fixes to strongswan v5.2.2 ( CVE-2015-3991 , CVE-2015-4171 , CVE-2017-9022 , CVE-2017-9023 , CVE-2017-11185 , CVE-2018-10811 )
  • [TechSupport] - Collect SLAB usage in support file
  • [MDNS] - Fix bug when mdns service did not start with vti configured
  • [Tcpdump] - Upgrade tcpdump v4.9.3 to fix RCE vulnerability ( CVE-2018-14880 )
  • [SFP] - Fix bug when some SFP modules were mistakenly reporting TX error
  • [SSH] - Limit permitted SSH MACs to those permitted by OpenSSH v7.4 . Disabling some that are now considered weak and get flagged by vulnerability scanners as such.

NOTE #1: This firmware is the last " Debian Wheezy " based firmware running on top of v3.10.107 kernel. There will be no more updates in v1.10.x firmware branch.

NOTE #2: From now on security fixes and software component updates will be available only in v2.0.x branch!

NOTE #3 : This is the same firmware as the one that was published on beta forum last week here

加粗部分表明1.10.11是基于Debian 3.10.107內核。v1.10.x固件分支中将没有更多更新。

我看了一下,主要对1.x.x版本的一次安全更新和bug修补,下面的评论说是最后一次更新。估计以后都会是2.x.x版本了。

这是直接宣布1.10.x不维护了啊…

没注意到这句“There will be no more updates in v1.10.x firmware branch”.就是不更新了。

感觉其实1.10.X性能和安全性方面已经很不错了,在2.0没有性能达到1.10以上,没必要更新到2.0