EdgeMAX EdgeRouter Security Firmware Update v2.0.8-hotfix.1

Important notes
The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using “delete system image” CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

[PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in daemon (CVE-2020-8597pppd)
Known issues
[Performance] - Throughput degradation by 5-10% when comparing with v1.10.x firmware with older kernel
[VPN] - L2TP remote access VPN does not work with Android6/7 L2TP clients (but works with Android9 client). L2TP issue on Android6/7 is caused by bad IPSec implementation on Android side, workaround discussed here
[DPI] - Sometimes DPI is reporting wrong rx/tx counters
[Offloading] - On Cavium-based routers (ER, ER-Pro, ER-Lite, ER-PoE, ER-4, ER-6P, ER-12, ER-Infinity) small percentage of packets are randomly reordered. This issue was fixed in v1.10.0 firmware but it reappeared since v2.0.0 because of new Ethernet driver.
EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.


[ER-X, ER-10X, ER-X-SFP and EP-R6]
[ERLite-3 and ERPoe-5]
[ER-8, ERPro-8 and EP-R8]
[ER-4, ER-6P, ER-12 and ER-12P]

ER-e50.v2.0.8-hotfix.1.5278088.tar - md5:af9b83af58fb9bec61a97049b8d81aee - sha256:b877aa2404ec768c2000d15c2aea53205be5f64046f671ba37d67860cd582846
ER-e100.v2.0.8-hotfix.1.5278088.tar - md5:ad4a05e29ea1304607f1776636bbe982 - sha256:23672e75f05c3e0f09d861b909719c66c3a415b3cc31a411ca984828d011a03e
ER-e200.v2.0.8-hotfix.1.5278088.tar - md5:e3685f503cbf0b260d55e9c19dd1a891 - sha256:65efafc644c18f37f32af75a2435297f4a9d178ea1f759e3ac9f5698fd456f6c
ER-e300.v2.0.8-hotfix.1.5278088.tar - md5:d4b30e3821621f16f6e960d753eaf073 - sha256:cc6c28fa9cc221bfa7073523452aa95bba0fe0cd2bf935dd44749a0e28622534
ER-e1000.v2.0.8-hotfix.1.5278088.tar - md5:795f53de8c502619616ee0bc19de594c - sha256:c00eb0aa186366313a592d0fc8f91331e0a43f9f9a89b44743e631ce9ce6153e







  • [PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in pppd daemon ( CVE-2020-8597 )
  • [IPV6] - Allow packets with TTL=0 when " hwnat offloading " is enabled. This fixes DHCPv6 problems on ER-X / ER-X-SFP / EP-R6 models. Discussed here
  • [Offloading] - Fix bug when router randomly crashed after disabling offloading on ER-Lite , ER , ER-Pro , ER-Infinity , ER-4 , ER-6P , ER-12 . Discussed here
  • [WebGUI] - Regenerate WebGUI certificate if it does not meet new iOS 13 and MacOS 10.15 requirements. Announced here
  • [IPSec] - Backport security fixes to strongswan v5.2.2 ( CVE-2015-3991 , CVE-2015-4171 , CVE-2017-9022 , CVE-2017-9023 , CVE-2017-11185 , CVE-2018-10811 )
  • [TechSupport] - Collect SLAB usage in support file
  • [MDNS] - Fix bug when mdns service did not start with vti configured
  • [Tcpdump] - Upgrade tcpdump v4.9.3 to fix RCE vulnerability ( CVE-2018-14880 )
  • [SFP] - Fix bug when some SFP modules were mistakenly reporting TX error
  • [SSH] - Limit permitted SSH MACs to those permitted by OpenSSH v7.4 . Disabling some that are now considered weak and get flagged by vulnerability scanners as such.

NOTE #1: This firmware is the last " Debian Wheezy " based firmware running on top of v3.10.107 kernel. There will be no more updates in v1.10.x firmware branch.

NOTE #2: From now on security fixes and software component updates will be available only in v2.0.x branch!

NOTE #3 : This is the same firmware as the one that was published on beta forum last week here

加粗部分表明1.10.11是基于Debian 3.10.107內核。v1.10.x固件分支中将没有更多更新。



没注意到这句“There will be no more updates in v1.10.x firmware branch”.就是不更新了。