EdgeRouter v3.0.1 includes the below bugfixes and improvements.

Bugfixes

• Fixed an issue that occurred when adding multiple subnets to IPSec peers.
• Fixed handling of optional fields in VPN – WireGuard.
• Fixed incorrect network validation in VPN – WireGuard.
• Fixed focus behavior so the username field is now selected automatically after the login screen loads.

Known issues

• [Upgrade] - In previous firmware versions, an incorrect error message may appear in Chrome, indicating that the firmware upgrade failed after the upload completed. To finalize the upgrade, simply close the error modal and restart the router using the button in the header.
• [DPI] - Sometimes, DPI is reporting wrong rx/tx counters.
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6).
• [Offloading] - VLAN traffic is not being offloaded on ER-12.

Additional information

• EdgeRouter firmware can be installed via the CLI, web interface or UISP. Detailed installation instructions are available here.
• The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space.
• If this happens, remove the old backup image first (using delete system image CLI command, see here for more details).

EdgeRouter 3.0.0 includes a new redesigned web interface and adds support for WireGuard VPN.

Updated Web Interface

The interface has been updated and adds a new section for configuring WireGuard.

WireGuard VPN

Allows you to connect the EdgeRouter to another WireGuard peer to set up different VPN types.

• Site-to-Site VPN - Connect to a WireGuard peer and dynamically or statically route traffic between the sites.
• VPN Server- Allows remote WireGuard clients to connect to the EdgeRouter and access the LAN.
• VPN Client - Connect to a VPN provider and route traffic over the WireGuard VPN with Policy-Based Routing.

Improvements

• Redesigned and updated the web interface.
• Added dark mode support option for the web interface.
• Added support for WireGuard VPN. Configuration is possible using both the web interface and CLI.
• DHCPv6 now ignores advertise messages with none of the requested data and missed status codes.
• Added support for remote access to the local web interface via UISP.
• Added new left menu which replaced tab based navigation.
• Added new version of ports widget on the main header.
• Added system option to theme system settings.
• Added the CPU and HW status to the top bar, increased the size of two-row ports, and added temperature alert.
• Improved security & stability.
• Added factory default firewall configuration, dropping all incoming traffic from eth1
• Added filename validation for restoring configuration uploads.
• Added logging of the WebSocket client IP address to allow brute-force attack detection.
• Implemented new validation checks for passwords.
• Disabled SSH in factory default config.

Bugfixes

• Fixed issue with DHCP renewal when using a /32 netmask.
• Fixed restoring of configuration backup.
• Fixed link to UISP application running on UISP Console.
• Fixed issue with upgrade in Chrome.

Known issues

• [Upgrade] - In previous firmware versions, an incorrect error message may appear in Chrome, indicating that the firmware upgrade failed after the upload completed. To finalize the upgrade, simply close the error modal and restart the router using the button in the header.
• [DPI] - Sometimes, DPI is reporting wrong rx/tx counters.
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6).
• [Offloading] - VLAN traffic is not being offloaded on ER-12.

Additional information

• EdgeRouter firmware can be installed via the CLI, web interface or UISP. Detailed installation instructions are available here.
• The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space.
• If this happens, remove the old backup image first (using delete system image CLI command, see here for more details).

EdgeRouter v2.0.9-hotfix.7 includes the below bugfixes and improvements.

Improvements

• Require password change on first login.
• Updated UISP Application connector.

Bugfixes

• Updated OpenSSL to fix recently reported CVEs.
• Updated MiniUPnPd to fix a heap overflow vulnerability. (see here for more information)

Known issues

• [DPI] - Sometimes DPI is reporting wrong rx/tx counters.
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6).
• [Offloading] - VLAN traffic is not being offloaded on ER-12.

Additional information

• EdgeRouter firmware can be installed via the CLI, web interface or UISP. Detailed installation instructions are available here.
• The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space.
• If this happens, remove the old backup image first (using delete system image CLI command, see here for more details).

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

Bugfixes

• Fix disclosed security issue. (see here for more information)

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Published: January 23, 2023

Version: 1.0

Revision: 1.0

Summary

A vulnerability, found in EdgeRouters and UniFi Security Gateways (USG)* with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.

*Affected Products:

All EdgeRouters running Version 2.0.9-hotfix.5 and earlier.

All USGs running Version 4.4.56 and earlier.

Mitigation:

Update your EdgeRouter(s) to Version 2.0.9-hotfix.6 or later.

Update your USG(s) to Version 4.4.57 or later.

Impact:

CVSS v3.0 Severity and Metrics:

Base Score: 7.5 High

Vector: 

CVSS: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE: CVE-2023-23912 (ZDI-CAN-19687 - NCC Group EDG (@alexjplaskett @saidelike @FidgetingBits @_mccaulay) working with Trend Micro Zero Day Initiative)

Reference Links:

https://community.ui.com/releases/UniFi-Security-Gateway-4-4-57/72409267-0f18-400f-8f44-7242a553e449

https://community.ui.com/releases/EdgeMAX-EdgeRouter-Firmware-v2-0-9-hotfix-6/63aa2542-db99-4f2d-8be2-0717dd2452de

Published: November 23, 2022

Version: 1.0

Revision: 1.0

Summary

A remote code execution vulnerability in EdgeRouters (Version 2.0.9-hotfix.4 and earlier) allows a malicious actor with an operator account to run arbitrary administrator commands.

This vulnerability is fixed in Version 2.0.9-hotfix.5 and later.

Affected Products:

EdgeRouters

Mitigation:

Update your EdgeRouter to Version 2.0.9-hotfix.5 or later.

Impact:

CVSS v3.0 Severity and Metrics:

Base Score: 8.8 High

Vector: 

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE: CVE-2022-43553

Reference Links:

https://community.ui.com/releases/EdgeMAX-EdgeRouter-Firmware-v2-0-9-hotfix-5/b3882362-9d9a-4efd-8110-30a1e86e0154

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

Bugfixes

• Fixed typos in WebUI
• Security: Disclosed security fixes. (see here for more information)

Known issues

• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
• [Offloading] - VLAN traffic is not being offloaded on ER-12

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

Improvements

Fixed CVE-2020-15078 in OpenVPN
Fixed CVE-2022-0778 in openssl
Fixed CVE-2018-25032 in zlib
Fixed CVE-2020-27827 in lldpd
Fixed CVE-2020-13848 and CVE-2021-28302 in libupnp
Fixed command injection in WebUI
UISP integration updated

Known issues

• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
• [Offloading] - VLAN traffic is not being offloaded on ER-12

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.a

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

Improvements

n/a

Bugfixes

• [Syslog] - Adjust syslog config to ensure that is uses less RAM when doing heavy logging
• [DHCPv6] - Apply workaround to make DHCPv6 service not to fail if IPv6 WAN address is being delayed
• [Security] - Fix CVE-2021-3156 vulnerability in sudo
• [Security] - Fix CVE-2019-12110 DDoS vulnerability in miniupnpd
• [Security] - Fix CVE-2021-3448 vulnerability in dnsmasq
• [dnsmasq] - Fix wrong version of dnsmasq being displayed via dnsmasq -v

Upgraded following Debian packages:

  sudo (1.8.19p1-2.1+deb9u2 => 1.8.19p1-2.1+deb9u3)
  dnsmasq (2.83-1 => 2.85-1)
  grep (2.27-2 => 3.3-1~bpo9+1)
  init (1.48 => 1.56~bpo9+1)
  init-system-helpers (1.48 => 1.56~bpo9+1)
  libassuan0 (2.4.3-2 => 2.5.2-1~bpo9+1)
  libfastjson4 (0.99.4-1 => 0.99.8-1~bpo9+1)
  libidn2-0 (0.16-1+deb9u1 => 2.0.5-1~bpo9+1)
  libip4tc0 (1.6.0+snapshot20161117-6 => 1.6.2-1.1~bpo9+1)
  libldap-2.4-2 (2.4.44+dfsg-5+deb9u4 => 2.4.47+dfsg-3+deb10u2~bpo9+1)
  libldap-common (2.4.44+dfsg-5+deb9u4 => 2.4.47+dfsg-3+deb10u2~bpo9+1)
  liblognorm5 (2.0.1-1.1+b1 => 2.0.3-1~bpo9+1)
  libnl-3-200 (3.2.27-2 => 3.4.0-1~bpo9+1)
  libnl-cli-3-200 (3.2.27-2 => 3.4.0-1~bpo9+1)
  libnl-genl-3-200 (3.2.27-2 => 3.4.0-1~bpo9+1)
  libnl-nf-3-200 (3.2.27-2 => 3.4.0-1~bpo9+1)
  libnl-route-3-200 (3.2.27-2 => 3.4.0-1~bpo9+1)
  libpam-systemd (232-25+deb9u12 => 241-5~bpo9+1)
  libsqlite3-0 (3.16.2-5+deb9u1 => 3.27.2-3~bpo9+1)
  mtr-tiny (0.87-1 => 0.92-2~bpo9+1)
  openvpn (2.4.0-6+deb9u3 => 2.4.7-1~bpo9+1)
  rsyslog (8.24.0-1 => 8.1901.0-1~bpo9+1)

Known issues

• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
• [Offloading] - VLAN traffic is not being offloaded on ER-12

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksums:
 ER-e50.v2.0.9-hotfix.2.5402463.tar   - md5:b3d9584d41fe2acd66353962938aa5bd - sha256:728610ebd60f5eea4781709fc98ada8d5469fe3e49480e1e05350258aef599dc
 ER-e100.v2.0.9-hotfix.2.5402463.tar  - md5:b588aabac521697eb88ea5059e04809f - sha256:094f1c7b286f2c9ba5bd38b901a68d20e7baf8d7cbf2141fce07ce0925d0b53d
 ER-e300.v2.0.9-hotfix.2.5402463.tar  - md5:0b7d85809654e550c64d41befee61b11 - sha256:b680829d1bbcfb1164ab6cb95db9b71bda90b035a72964f4417a3153c79a3771
 ER-e200.v2.0.9-hotfix.2.5402463.tar  - md5:e7775c855a8647daeae8d9c85b054cbc - sha256:9ed8015a8a89e8ffe60b7fe6a44dc5503b25a437647ae9abad49fd88a185e1ac
 ER-e1000.v2.0.9-hotfix.2.5402463.tar - md5:37233acf515e7171935820f57f35062c - sha256:4b223450743114ad8c21bea1cb9ab6410e44e8f35f7267ec0fd9dcb9b5b153e7

First Published: May 18, 2021

Version: 1.0

Revision: 1.0

Summary

A vulnerability found in EdgeMAX EdgeRouter V2.0.9 and earlier could allow a malicious actor to execute a man-in-the-middle (MitM) attack during a firmware update. This vulnerability is fixed in EdgeMAX EdgeRouter V2.0.9-hotfix.1 and later.

Affected Products:

All EdgeMAX EdgeRouters

Mitigation:

Update the EdgeMax EdgeRouter to V2.0.9-hotfix.1 or later.

Impact:

CVSS v3.0 Severity and Metrics:

Base Score: 7.5 High

Vector: 

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE: CVE-2021-22909

Reference Links:

https://community.ui.com/releases/EdgeMAX-EdgeRouter-Firmware-v2-0-9-hotfix-1-security-update-2-0-9-hotfix-1/fff093d6-8a3b-4f3b-a68e-f8ac5d8dc9ef

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

Improvements

n/a

Bugfixes

• [Security/DNS] - Fix dnspooq vulnerabilities in dnsmasq
• [Security/Upgrade] - Remove -k (aka --insecure) flag when downloading firmware update via CLI with curl
• [SNMP] - Backport multiple snmpd memory leak fixes from upstream (1st, 2nd and 3rd)
• [UNMS] - Fix memory leak in udapi-bridge process when UNMS is enabled

Upgraded following Debian packages:

      dnsmasq (2.79 => 2.83)

Known issues

• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
• [Offloading] - VLAN traffic is not being offloaded on ER-12

• [dnsmasq] - latest dnsmasq v2.83 has regression that causes DNS request to be resent during heavy load (details here). We will fix this issue in upcoming v2.0.9-hotfix.2 firmware update:

The symptoms are random log messages reporting "failure to send packet" and the DNS query associated with this is lost.

Retries of the query do not fail, so the operational effect of this is minimal.

To trigger the bug, dnsmasq:

1) has to be under fairly heavy load,

2) and be configured for a mixture or IPv4 and IPv6 upstream DNS servers

3) or, possibly, be using --bind-interfaces.

• [dnsmasq] - shell command dnsmasq --version is reporting old v2.79 version instead of v2.83. This is a pure cosmetic issue, please ignore it - dnsmasq was indeed upgraded to v2.83. This issue will be fixed in v2.0.9-hotfix.2 firmware
• [sudo] - Known CVE-2021-3156 sudo vulnerability is present in v2.0.9-hotfix.1 but it can not be exploited because non-privileged users do not have shell account. Nevertheless we will patch sudo in upcoming v2.0.9-hotfix.2 firmware

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksums:

ER-e50.v2.0.9-hotfix.1.5371034.tar    md5:532ae3a57a52510422c153fa94d4c223  sha256:0573071f39afa85ac5ba6a0ae2aaf382a0d5674a632a16c787b2ac7d342d7bf6
ER-e100.v2.0.9-hotfix.1.5371034.tar   md5:1ee86f529f1c198dabb40813cb0ad080  sha256:40c2c652c991a713a04ee2a8622a746143f981f067b394abc21f945e7be62c00
ER-e200.v2.0.9-hotfix.1.5371034.tar   md5:57e99bf850ae7465b9a70f92de414673  sha256:97ea94dd4fedf2d2f0cda071fe87b3ea2593049c43e834d941edb0c41a9a34ab
ER-e300.v2.0.9-hotfix.1.5371035.tar   md5:9544dc857b41be812bb1fa38c707a695  sha256:11018fa69141ce9e03078adfa2c2d3fd005cc4a27a1c4b023b096fc3f1d7f6d6
ER-e1000.v2.0.9-hotfix.1.5371034.tar  md5:23e8f11a8d0ea14b4fdc4ef31b4e7036  sha256:db5adfc565ee55992ffc98dda898b51e557799866e455b4fffe1b3d0fe259835

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

Improvements

• Add anonymous crash reporting and analytics reporting which are disabled by default.

If you wish to toggle these features then you need to run following commands in CLI:

configure
set system analytics-handler send-analytics-report true/false
set system crash-handler send-crash-report true/false
commit
save

NOTE: We would appreciate if you choose to enable crash-reporting & analytics as (a) All data is 100% anonymized and does not contain sensitive information (i.e. no IPs, no MACs and no keys/passwords) (b) This anonymized data help us make EdgeOS better 💪 because it is very valuable source of information as to what routing functionality is misbehaving and how ERs are being used in real-life environment (e.g. CPU load, throughout, number of interface, number of routes, etc...)

• Add firmware upgrade button in WebGUI. This button will show indication when new stable firmware is available. Upgrade process will be initiated upon pressing this button.

• Add popup window to WebGUI where admin is being asked to allow or deny analytics&crash-reporting. Description and data samples available here -> https://help.ui.com/hc/en-us/articles/360051176734

• Add "Factory Reset" button to WebGUI:

• Add new CLI command add system image to automatically download and install latest stable firmware:

ubnt@erx:~$ add system image
Fetching version number of latest firmware... ok
 > version : v2.0.8
 > url     : https://fw-download.ubnt.com/data/e50/df20-edgerouter-2.0.8-d52c6e913e2246de9f5f79a15291fba2.tar
 > md5     : 2b6b7a8ceb87371d81a6549d1cab61fe
 > state   : up-to-date

Current firmware is already up-to-date (!!!)

Version [v2.0.8.5247496.191120.1124-1] is about to be replaced
Are you sure you want to replace old version? (Yes/No) [Yes]: 

• Decrease size of firmware image by removing dependency on libxml and excluding it -> size of firmware image shrank by ~10Mb.

NOTE: if you install some 3rd party software that depends on libxml then you need to install libxml yourself

• Reduce RAM usage by disabling systemd journaling (discussed here) and add new config entries to control systemd-journaling if necessary:

set system systemd journal ...

• Add new L2TP VPN remote access client interface that establishes VPN connection to external L2TP remote access VPN server. For instance following example creates l2tpc0 Point-to-Point interface towards to L2TP server 192.168.11.1:

Create l2tpc0 interface:

set interfaces l2tp-client l2tpc0 authentication user-id ubnt
set interfaces l2tp-client l2tpc0 authentication password ubnt
set interfaces l2tp-client l2tpc0 mtu 1400                   
set interfaces l2tp-client l2tpc0 server-ip 192.168.11.1
set interfaces l2tp-client l2tpc0 require-ipsec

Bind l2tpc0 interface to IPSec tunnel:

set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 mode transport
set vpn ipsec esp-group FOO0 proposal 1 encryption aes256
set vpn ipsec esp-group FOO0 proposal 1 hash sha1        
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128      
set vpn ipsec ike-group FOO0 proposal 1 hash sha1         
set vpn ipsec site-to-site peer 192.168.11.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.168.11.1 authentication pre-shared-secret ubnt
set vpn ipsec site-to-site peer 192.168.11.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.168.11.1 local-address default
set vpn ipsec site-to-site peer 192.168.11.1 tunnel 1 esp-group FOO0    
set vpn ipsec site-to-site peer 192.168.11.1 tunnel 1 local port l2tp
set vpn ipsec site-to-site peer 192.168.11.1 tunnel 1 protocol udp   
set vpn ipsec site-to-site peer 192.168.11.1 tunnel 1 remote port l2tp

• Enable connmark plugin in strongswan to allow connection from multiple L2TP-VPN clients from same NAT (discussed here). By default connmark is disabled and needs to be enabled from CLI with following command:

set vpn l2tp remote-access allow-multiple-clients-from-same-nat enable

NOTE:connmark is disabled by default because we discovered two issues when it's enabled:

1. connmark does not work properly if NAT is not configured
2. connmark does not work properly if TrafficShaping is configured in UNMS

• [UNMS] - Add support for "unlimited queues" and "dynamic wan interface" in UNMS QoS
• [DPI] - Upgrade DPI signature database to version 1.564
• [Performance] Improved forwarding performance on all ER models when offloading is disabled ---> +30% in simple NAT scenario, +10% in QoS/NetFlow scenario when comparing with v2.0.8.
• [Performance] Improved IPsec performance on ER-X/ER-X-SFP/ER-10X/EP-R6 when offloading is enabled ---> +10% when comparing with v2.0.8. Discussed here
• [PPPoE] - Increase PPPoE client IP pool size from 256 to 1024
• [CLI] - Update CLI welcome message to make it consistent with other Edge*** products
• [Security] - Now current config, private user files and backup firmware image will be permanently deleted when doing factory reset via CLI/WebGUI/UNMS. Previously backup firmware image used to survive factory-reset

Bugfixes

• [WebGUI] - Fix bug when WebGUI showed wrong RX/TX counters on eth0~eth7 when ipv4 offloading is enabled
• [WebGUI] - Fix regression from v2.0.0 when bandwidth measurement tool in WebGUI did not work at all. Discussed here
• [WebGUI] - Fix bug in WebGUI when UNMS status is stuck in "connecting" state forever. Discussed here
• [WebGUI] - Fix bug in WebGUI when some tools did not show any output (ping, trace, log, capture, bandwidth). Discussed here and here
• [WebGUI] - Fix bug when WebGUI randomly crashed because lighttpd was stuck with 100% CPU load. lighttpd was upgraded to v1.4.55. Discussed here
• [WebGUI] - Fix bug in WebGUI when firewall stats were empty during first 30 seconds. Discussed here
• [UNMS] - Fix bug when QoS could not disabled from UNMS
• [UNMS] - Strip 3rd party DEB packages from backup file when making ER backup from UNMS. We did this to reduce size of backup files because UNMS makes them very frequently.
• [UNMS] - Fix wrong LED color indication when UNMS is not configured
• [UNMS] - Fix bug when UNMS sometimes failed to perform initial connection with ER
• [UNMS] - Fix bug when UNMS QoS crashed when binding to missing PPPoE interfaces
• [UNMS] - Fix memory leak in udapi-bridge process when ER is connected to UNMS. Discussed here
• [UNMS] - Fix rare config mis-synchronization between ER and UNMS causing random errors when configuring via UNMS
• [SFP] - Fix bug when SFP port failed to process packets after reboot. Discussed here
• [SFP] - Fix bug when some SFP modules were mistakenly reporting tx error
• [SFP] - Fix bug when SFP interface stops working when Ethernet interface loses link on ER-12
• [SFP] - Fix bug when stats in WebGUI stall if SFP module is misbehaving and responding with garbage instead of valid sfp data. Discussed here
• [Offloading] - Fix random lock-ups when hwnat offloading is enabled on ER-X/ER-X-SFP. Discussed here and here
• [Packages] - Restore builtin etherwake package that was removed since v2.0.0 firmware
• [PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in pppd daemon (CVE-2020-8597)
• [OSPF] - Fix bug when OSPF neighbors disappear after interface flap if OSPF network has /32 mask. Discussed here
• [CLI] - Fix bug when add system image CLI command did not show "yes/no" prompt if there's no backup firmware image. Discussed here
• [CLI] - Fix bug when shell command switch pvid dump crashes on ER-X. Discussed here
• [BGP] - Fix bug when blocked BGP prefix leaked to neighbors when committing large BGP config. Discussed here and here
• [SNMP] - Fix "unknown notification OID" and "Unknown token: monitor" errors in syslog when configuring SNMP. Discussed here
• [SNMP] - Fix bug when SNMP flooded "error on subcontainer ia_addr insert" errors in syslog. Discussed here
• [SNMP] - Fix SNMP flooding "cannot get stats strings information for interface" error to syslog on ER-X. Discussed here
• [LoadBalancing] - Fix bug when Load Balancing randomly failed if WAN interface acquired new DHCP address. Discussed here
• [PPPoE] - Fix RCE vulnerability in pppoe-server when using custom radius-disconnect script. Introduced here and discussed here
• [PPPoE] - Fixed confusing "PADT: Generic-Error: xxxx" syslog message when PPPoE client disconnected. Discussed here
• [DDNS] - Fix potential DDNS config disclosure vulnerability if multiple Dynamic DNS providers are configured
• [PPTP] - Don't load nf_nat_pptp module during boot unless it it is really used
• [IGMP] - Upgraded igmp-proxy to fix multiple IPTV freeze/disconnect issues
• [System] - Add ethtool support for ER-X/ER-X-SFP/ER-10X models
• [VPN] - Fix bug when L2TP-VPN daemon randomly crashed when WAN interface updated DHCP lease. Discussed here and here
• [IPv6] - Fix bug when radvd failed when loading configuration with many VLANS (10+). Discussed here
• [IPv6] - Fix bug when PD wont start if prefix6 range is outside of declared subnet. Backported FreeBSD patch from here
• [IPv6] - Add static mapping feature for IPv6 PD so that service dhcp-statefull could have statically mapped hosts. Discussed here and here
• [OSPFv3] - Fix regression from v2.0.7 when OSPFv3 stopped adding received routes to RIB. Discussed here
• [OSPFv3] - Fix bug that caused failure when redistributing OSPFv3 routes via BGP. Discussed here
• [QoS] - Fix bug when burst-size was causing bad performance when configured in UNMS
• [Interfaces] - Add missing firewall config for switch0.pppoe and switch0.vif.pppoe interfaces. Discussed here and here
• [Interfaces] - Fix bug when VLAN interface with MTU <1280 triggers "Commit Failed" error
• [Interfaces] - Fix bug when packets with wrong MAC leaked to WAN if offloading is enabled on ER-X. Discussed here
• [Interfaces] - Fix bug when wrong TX/RX counters were reported on switched port on ER-12/ER-12P
• [Interfaces] - Allow deleting non existing address from config if it disappeared from kernel. Discussed here
• [Routing] - Fix bug when all routing daemons (bgp, ospf, rip, ripng...) randomly & permanently die. This issue was randomly observed while creating/deleting 100+ PPPoE interfaces.
• [Routing] Added Ethernet driver patch from Cavium that fixes packet reordering with 4.x kernel. This should improve performance of network services that are sensitive to UDP packet reordering (e.g. VoIP and Video streaming)
• [TechSupport] - Add more LoadBalancing debug info to tech-support file
• [SSH-Recovery] - Fix bug when setting VLAN interfaces in service ssh-recovery listen-on caused config corruption after reboot
• [LED] - Fix bug when LED light was stuck in WHITE color forever. Discussed here
• [DHCP] - Fix bug when same hostname could not be statically-mapped in different subnets for IPv4/IPv6 DHCP servers. Discussed here
• [DHCP] - Fix bug in DHCP server when dhcp-boot option of first subnet was applied to all networks
• [PoE] - Fix bug when PoE on eth9 on ER-10X remained enabled after doing factory reset
• [UPnP] - Backport CVE-2019-12111 that fixes DDoS attack in miniupnpd . Discussed here

• Upgraded following Debian packages:

      apt (1.4.9 => 1.4.10)
      apt-transport-https (1.4.9 => 1.4.10)
      base-files (9.9+deb9u11 => 9.9+deb9u13)
      ca-certificates (20161130+nmu1+deb9u1 => 20200601~deb9u1)
      curl (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
      dbus (1.10.28-0+deb9u1 => 1.10.32-0+deb9u1)
      libapt-pkg5.0 (1.4.9 => 1.4.10)
      libcurl3 (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
      libcurl3-gnutls (7.52.1-5+deb9u9 => 7.52.1-5+deb9u10)
      libdbus-1-3 (1.10.28-0+deb9u1 => 1.10.32-0+deb9u1)
      libgnutls-openssl27 (3.5.8-5+deb9u4 => 3.5.8-5+deb9u5)
      libgnutls30 (3.5.8-5+deb9u4 => 3.5.8-5+deb9u5)
      libldap-2.4-2 (2.4.44+dfsg-5+deb9u3 => 2.4.44+dfsg-5+deb9u4)
      libldap-common (2.4.44+dfsg-5+deb9u3 => 2.4.44+dfsg-5+deb9u4)
      libperl5.24 (5.24.1-3+deb9u6 => 5.24.1-3+deb9u7)
      libidn11 (1.33-1 => 1.33-1+deb9u1)
      libperl5.24 (5.24.1-3+deb9u5 => 5.24.1-3+deb9u6)
      libsasl2-2 (2.1.27~101-g0780600+dfsg-3 => 2.1.27~101-g0780600+dfsg-3+deb9u1)
      libsasl2-modules-db (2.1.27~101-g0780600+dfsg-3 => 2.1.27~101-g0780600+dfsg-3+deb9u1)
      libssl1.0.2 (1.0.2t-1~deb9u1 => 1.0.2u-1~deb9u1)
      libtimedate-perl (2.3000-2 => 2.3000-2+deb9u1)
      sudo (1.8.19p1-2.1+deb9u1 => 1.8.19p1-2.1+deb9u2)
      igmpproxy (0.1 => 0.2.1)
      tzdata (2019c-0+deb9u1 => 2020a-0+deb9u1)

Known issues

• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
• [Offloading] - VLAN traffic is not being offloaded on ER-12

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksums:

ER-e50.v2.0.9.5346345.tar   - md5:411314387abecb3185c2c75dca5376ee - sha256:6e9266c44b1d8facdd21c174831ff0f6c273d49f5503688fcbf89ec45df4d244
ER-e100.v2.0.9.5346345.tar  - md5:02468bce89d52000186b75cc5f0c91bc - sha256:6a3d7e78fa5dd24a02d133ccd9bfc8b22b142453dc42a5e6d38b20eee5bc1797
ER-e200.v2.0.9.5346345.tar  - md5:2ec8d376cbf9552f8d14cbf3086800e0 - sha256:62ddf09a68eca710130b6d14a611515f664100f8ac13344d2b35846049d495c2
ER-e300.v2.0.9.5346345.tar  - md5:f47a532c8151533796c21e20cb64803a - sha256:694b6ed0bc5835a7ca97eeb4e1efa1e9c790c135d50ac41afb863fe0b052baa8
ER-e1000.v2.0.9.5346345.tar - md5:1a2957029db5ee83ad1d777f58a8974c - sha256:36696f8401687334a4ae3129282be4fba546e985d5ec1aa237273115a39190c8

The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

New features

• n/a

Improvements

• n/a

Bugfixes

• [PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in pppd daemon (CVE-2020-8597)
• [IPV6] - Allow packets with TTL=0 when "hwnat offloading" is enabled. This fixes DHCPv6 problems on ER-X/ER-X-SFP/EP-R6 models. Discussed here
• [Offloading] - Fix bug when router randomly crashed after disabling offloading on ER-Lite, ER, ER-Pro, ER-Infinity, ER-4, ER-6P, ER-12. Discussed here
• [WebGUI] - Regenerate WebGUI certificate if it does not meet new iOS 13 and MacOS 10.15 requirements. Announced here
• [IPSec] - Backport security fixes to strongswan v5.2.2 (CVE-2015-3991, CVE-2015-4171, CVE-2017-9022, CVE-2017-9023, CVE-2017-11185, CVE-2018-10811)
• [TechSupport] - Collect SLAB usage in support file
• [MDNS] - Fix bug when mdns service did not start with vti configured
• [Tcpdump] - Upgrade tcpdump v4.9.3 to fix RCE vulnerability (CVE-2018-14880)
• [SFP] - Fix bug when some SFP modules were mistakenly reporting TX error
• [SSH] - Limit permitted SSH MACs to those permitted by OpenSSH v7.4. Disabling some that are now considered weak and get flagged by vulnerability scanners as such.

Known issues

• IPv6 OSPF route disappears from routing table. See fix in Note #4 in Instructions below

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksum

ER-e50.v1.10.11.5274269.tar   - md5:988e30741f7625a5b85996c7674c8baa - sha256:c74d0ddc07f076a7cc00761020dcc9eec0054d848b1f8b59ab1dcd89d512a9a9
ER-e100.v1.10.11.5274249.tar  - md5:6a8a4672c4ee29872fb435975ea605fd - sha256:0b298e3a9d7f1e7198d8786206a0b8763bdcd48bed4cae15b12b3ec230209b88
ER-e200.v1.10.11.5274249.tar  - md5:23c4efed590ab1fffd0d7f2c89581c6b - sha256:2ca1b61728dc4f215bbcfea908f5f577ff11476355edb915a7d842bfc1b98191
ER-e300.v1.10.11.5274249.tar  - md5:9c5686930ab5e98d9f713877f0166a42 - sha256:6bb449d09773407a13f261ea601938ece0efaf7eacdb4d2aeddb055ba5424795
ER-e1000.v1.10.11.5274249.tar - md5:0c5f0ad1ea7527c801a2b28aac790975 - sha256:4666f7d14f20a9fc1712d555ff0527a3602fdc6e0ed397f40da8f778678641f2

NOTE #1:This firmware is the last "Debian Wheezy" based firmware running on top of v3.10.107 kernel. There will be no more updates in v1.10.x firmware branch.

NOTE #2: From now on security fixes and software component updates will be available only in v2.0.x branch!

NOTE #3: This is the same firmware as the one that was published on beta forum last week here

💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪

NOTE #4 (Apr 23 2020):

There is a known OSPFv3 regression (introduced in v1.10.10) that is causing IPv6 OSPF routes to disappear from routing table. Discussed here and here.

This bug will be fixed in upcoming v2.0.9 firmware but for v1.10.11 fix is available as a standalone DEB package that should be installed on top of v1.10.11 firmware.

OSPFv3 fix installation instructions:

1) Download fixed ubnt-protocols DEB package from here:

• For ER-X, ER-X-SFP, ER-10X and EP-R6 models -> https://dl.ui.com/firmwares/edgemax/v1.10.11/ospfv3-fix/ubnt-protocols_9dev_mipsel.deb
• For all other ER models -> https://dl.ui.com/firmwares/edgemax/v1.10.11/ospfv3-fix/ubnt-protocols_9dev_mips.deb

You can use following oneliner to download correct ubnt-protocols DEB package from ER bash shell:

(readelf -h /bin/ls | grep "big endian" > /dev/null) && arch=mips ||
 arch=mipsel && curl -O https://dl.ui.com/firmwares/edgemax/v1.10.11/ospfv3-fix/ubnt-protocols_9dev_$arch.deb

2) Verify sha256 checksum by running following shell command:

sha256sum ubnt-protocols_9dev_mips*.deb

Here are correct checksums:

86526c189795c7c170f732d1a3c99436622a9e73152673c2e6d34594c7a2fa93  ubnt-protocols_9dev_mips.deb
88b53650dba056b3539076aad3ca57cd33e8e279b6d372dc9361f964dfbba576  ubnt-protocols_9dev_mipsel.deb

3) Install fixed ubnt-protocols DEB package:

sudo dpkg -i ubnt-protocols_9dev_mips*.deb

4) Reboot

💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪💪

The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

New features

• n/a

Improvements

• n/a

Bugfixes

• [PPPoE/L2TP/PPP] - Fix buffer overflow vulnerability in pppd daemon (CVE-2020-8597)

Known issues

• [Performance] - Throughput degradation by 5-10% when comparing with v1.10.x firmware with older kernel
• [VPN] - L2TP remote access VPN does not work with Android6/7 L2TP clients (but works with Android9 client). L2TP issue on Android6/7 is caused by bad IPSec implementation on Android side, workaround discussed here
• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - On Cavium-based routers (ER, ER-Pro, ER-Lite, ER-PoE, ER-4, ER-6P, ER-12, ER-Infinity) small percentage of packets are randomly reordered. This issue was fixed in v1.10.0 firmware but it reappeared since v2.0.0 because of new Ethernet driver.

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksum:

ER-e50.v2.0.8-hotfix.1.5278088.tar   - md5:af9b83af58fb9bec61a97049b8d81aee - sha256:b877aa2404ec768c2000d15c2aea53205be5f64046f671ba37d67860cd582846
ER-e100.v2.0.8-hotfix.1.5278088.tar  - md5:ad4a05e29ea1304607f1776636bbe982 - sha256:23672e75f05c3e0f09d861b909719c66c3a415b3cc31a411ca984828d011a03e
ER-e200.v2.0.8-hotfix.1.5278088.tar  - md5:e3685f503cbf0b260d55e9c19dd1a891 - sha256:65efafc644c18f37f32af75a2435297f4a9d178ea1f759e3ac9f5698fd456f6c
ER-e300.v2.0.8-hotfix.1.5278088.tar  - md5:d4b30e3821621f16f6e960d753eaf073 - sha256:cc6c28fa9cc221bfa7073523452aa95bba0fe0cd2bf935dd44749a0e28622534
ER-e1000.v2.0.8-hotfix.1.5278088.tar - md5:795f53de8c502619616ee0bc19de594c - sha256:c00eb0aa186366313a592d0fc8f91331e0a43f9f9a89b44743e631ce9ce6153e

The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

New features

• [Offloading] - Ported hwnat offloading for ER-X/ER-X-SFP/ER-10X/EP-R6 from v1.10.9 firmware. Old hwnat offloading is much more stable than new one (which we used in EdgeOS firmwares from v2.0.1 to v2.0.7). This fixes multiple IPv6 and VLAN offloading issues in v2.0.x firmware as well as random kernel crash and failure to work in LoadBalancing/ECMP environments. Discussed here
• [WebGUI] - Add UNMS Cloud quick-connection button in WebGUI

Improvements

• Offloading performance improved on ER-X, ER-X-SFP, ER-10X and EP-R6 after back-porting hwnat from v1.10.9 firmware.

     Version      CPU Load   Throughput 
---------------- ---------- ------------
  v1.10.9            20%      979 Mbps
  v2.0.6             59%      821 Mbps
  v2.0.8             23%     1030 Mbps       <--------- Improved after backporting hwnat from v1.10.x firmware

• Increased optimization level for proprietary UBNT apps. This decreased memory footprint, increased performance and eliminated "memory allocation failure" errors that randomly occurred on ER-X/ER-X-SFP devices .
• Improved forwarding performance on ER-Infinity when offloading is disabled. In our UNMS QoS shaping scenario we see +50% throughput growth when handling 256 clients (total throughput increased from 3.6Gbps to 5.5Gbps)

Bugfixes

• [Offloading] - Fix bug when router randomly crashed after disabling offloading on ER-Lite, ER, ER-Pro, ER-Infinity, ER-4, ER-6P, ER-12. Discussed here
• [Offloading] - Fix random scheduling while atomic kernel crash when IPSec offloading was enabled on ER-6P/ER-4. Discussed here
• [Offloading] - Fix bug when some VoIP implementations (WiFi Calling for Verizon) fail if hwnat offloading was enabled on ER-X/ER-X-SFP/ER-10X. Discussed here
• [Bootloader] - Show notification in shell that router needs to be rebooted in order to apply new boot image. Discussed here
• [WebGUI] - Regenerate WebGUI certificate if it does not meet new iOS 13 and MacOS 10.15 requirements. Announced here
• [System] - Make platform-unique default hostname
• [Switch] - Fix bug when switch interface on ER12/ER-12P occasionally did not work
• [Switch] - Fix bug when packets tagged with 802.1p (PCP) were not processed by VLAN-aware switch. Discussed here and here
• [PoE] - Fix bug when PoE mistakenly remains ON when configuring using wizard
• [Interfaces] - Fix bug when speed/duplex settings did not work on switch interfaces on ER-12/ER-12P
• [Interfaces] - Fix bad ethX rx/tx counters on ER-X when hwnat is enabled
• [Kernel] - Improve interface link monitoring on ER-4/ER-6/ER-12. This reduces CPU load of the kernel
• [Tech-Support] - Collect SLAB usage in tech-support file
• [Tech-Support] - Fix regression from v2.0.6 when WebGUI generated brief tech-support file instead of full
• [Security] - Fix CVE-2018-14880 vulnerability in tcpdump. Discussed here
• [Security] - Fix multiple Buffer overflow vulnerabilities when writing to different /proc/xxx entries which could be could be used to abuse kernel stack.
• [Upgrade] - Improve upgrade process to ensure that it does not fail in low-RAM environment when upgrading from WebGUI/UNMS. This fixes random upgrade failure errors that were observed on ER-X
• [QoS] - Fix bug that caused UNMS QoS configuration to survive factory-reset
• [QoS] - Fix bug that caused Commit failure when configuring advanced-queue on redirected interface. Discussed here.
• process died because of insufficient free memory.
• [Firewall] - Fix bug that caused Commit failure when configuring IPv6 MSS clamping. Discussed here.

• Upgraded following Debian base packages:

e2fslibs    (1.43.4-2 => 1.43.4-2+deb9u1)
e2fsprogs   (1.43.4-2 => 1.43.4-2+deb9u1)
libcomerr2  (1.43.4-2 => 1.43.4-2+deb9u1)
libexpat1   (2.2.0-2+deb9u2 => 2.2.0-2+deb9u3)
libss2      (1.43.4-2 => 1.43.4-2+deb9u1)
libssl1.0.2 (1.0.2s-1~deb9u1 => 1.0.2t-1~deb9u1)
libssl1.1   (1.1.0k-1~deb9u1 => 1.1.0l-1~deb9u1)
openssl     (1.1.0k-1~deb9u1 => 1.1.0l-1~deb9u1)
sudo        (1.8.19p1-2.1 => 1.8.19p1-2.1+deb9u1)
tcpdump     (4.9.2-1~deb9u1 => 4.9.3-1~deb9u1)

Known issues

• [Performance] - Throughput degradation by 5-10% when comparing with v1.10.x firmware with older kernel
• [VPN] - L2TP remote access VPN does not work with Android6/7 L2TP clients (but works with Android9 client). L2TP issue on Android6/7 is caused by bad IPSec implementation on Android side, workaround discussed here
• [DPI] - Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] - On Cavium-based routers (ER, ER-Pro, ER-Lite, ER-PoE, ER-4, ER-6P, ER-12, ER-Infinity) small percentage of packets are randomly reordered. This issue was fixed in v1.10.0 firmware but it reappeared since v2.0.0 because of new ethernet driver.

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksum:

ER-e50.v2.0.8.5247496.tar   - md5:2b6b7a8ceb87371d81a6549d1cab61fe - sha256:23aa317cf46aee4f5635eb8af75781ea76cbc49d03bc202812344466d88d631b
ER-e100.v2.0.8.5247496.tar  - md5:b79d1e8b2368cd785adf7b46e8d2d014 - sha256:5f79966da466a15f0c8c6e192491aab466d5b05b76c2782b64a7e6a0f2802f8a
ER-e200.v2.0.8.5247496.tar  - md5:839225391afd3a9674cce5365d400575 - sha256:29b6d435a8621e67f3cbb2684b443800fed8664e7bc0049a89cd8bc988118459
ER-e300.v2.0.8.5247496.tar  - md5:14e43b202851b8207060a4c03a42b900 - sha256:323152aca327d591f442b50f1020270358aa9da201c6596880528e1944c90fa7
ER-e1000.v2.0.8.5247496.tar - md5:7da10542742a34802f79d2fcf49b2dcc - sha256:821252993975437f4c5fa68a6bbfdbe988cff4d3cd8489b71ddef03313d6d019

The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

New features

• n/a

Improvements

• n/a

Bugfixes

• [UNMS] - Fix bug when connection with UNMS failed if LLDP was enabled on ER-PoE
• [WebGUI] - Fix bug when ER could be DDoSed by opening a lot of unauthenticated WebGUI sessions
• [WebGUI] - Fix WebGUI bug when VLAN configuration tab was missing on EP-R6. Discussed here
• [WebGUI] - Fix bad title displayed in browser tab
• [OSPF] - Fix memory leak in OSPF when access-list is configured to filter received routes
• [IPsec] - Fix potential authorization bypass vulnerabilities in strongSwan (CVE-2018-16151, CVE-2018-16152, CVE-2018-17540)
• [OpenSSL] - Fix CVE-2019-1559 security vulnerability in OpenSSL and upgrade OpenSSL to 1.0.1t-1+deb8u11
• [Bootloader] - Add latest bootloader that supports TFTP recovery
• [Kernel] - Fix SACK vulnerabilities in TCP networking stack (CVE-2019-11477, CVE-2019-11478)
• [Kernel] - Fix excessive resource consumption flaw in TCP networking stack (CVE-2019-11479)
• [Wizard] - Fix wrong WAN interface in "Basic Setup Wizard" on ER-X and ER-4. Discussed here
• [Wizard] - Add IPv6 firewall rules by default in "Basic Setup Wizard"

Known issues

• n/a

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksum

ER-e50.v1.10.10.5210345.tar   - md5:fc8404aeec575be0afb971bf0c679d7d - sha256:0b0ef2f858c9a0f6a0e9b0ccda890e9c10422afaa6a6704271a9ef84d795f646
ER-e100.v1.10.10.5210345.tar  - md5:85cf17825d042ef143a856b89498d502 - sha256:cd496077f8726b0445c3af1e0a4dadf86f3810c16f315b5b57805bde8265fed8
ER-e200.v1.10.10.5210345.tar  - md5:b7f2bd31e76c007a9722e5cffbd456a3 - sha256:7a5edeedb350db1ba71359b529adb8f9855d35247c975eecc43d771fe7c6f6be
ER-e300.v1.10.10.5210357.tar  - md5:c8b165f67a61d98638cb9d8f5edf7731 - sha256:5823080842402dd64cf5decb8ff901f46a8b8f5b7f476d593a27e747cc4d14d3
ER-e1000.v1.10.10.5210358.tar - md5:17870b4771c0bff16383ffdedcddd4e6 - sha256:f5c74f1a6e138fb87639b03f988e0ecb39b4db5c6817bf7b1ffae7aa3a9365e4

This is urgent EdgeOS firmware release that contains only security fixes in kernel and IPSec areas. This is almost the same firmware as the v2.0.5 that was published on beta forum 2 weeks ago. The only difference is that in v2.0.6 we additionally upgraded "udapi-bridge" package to latest version v0.7.3 to support new UNMS features.

The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

👍👍👍 IMPORTANT NOTICE if ER that is used as a gateway in UNMS👍👍👍

Please upgrade UNMS to version v0.14.1/v1.0.0.-beta.5 or higher (UNMS release notes is available here) before upgrading EdgeRouter to v2.0.6, otherwise there is a chance that ER will become unreachable from WAN interface. If this will happen then perform following steps in order to restore connectivity:

• Connect to ER from LAN interface via SSH
• Commit following command in configuration mode - "delete traffic-control optimized-queue"

New features

• n/a

Improvements

• Add support for UNMS v1.0

Bugfixes

• [Kernel] - Fix SACK vulnerabilities in TCP networking stack (CVE-2019-11477, CVE-2019-11478)
• [Kernel] - Fix excessive resource consumption flaw in TCP networking stack (CVE-2019-11479)
• [IPsec] - Fix potential authorization bypass vulnerabilities in strongSwan (CVE-2018-16151, CVE-2018-16152, CVE-2018-17540)

Known issues

• [Performance] - Throughput degradation by 5-10% when comparing with v1.10.9 firmware with older kernel.
• [Offloading] - IPsec and VLAN offloading on ER-X/ER-X-SFP and EP-R6 does not work yet.
• [VPN] - L2TP remote access VPN does not work with Android6/7 L2TP clients (but works with Android9 client).

UPDATE: L2TP issue is caused by bad IPSec implementation on Android side, workaround discussed here

• [LoadBalancing] - On ER-X LoadBalancing sometimes fails to recover after switching to failover interface.
• [WebGUI] - Sometimes statistics in WebGUI is "freezing" and page refresh is needed in order to wake it up.
• [DPI] - Sometimes DPI is reporting wrong rx/tx counters.

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksum

ER-e50.v2.0.6.5208541.tar   - md5:73fc871f64da1e92bc025f3a74de6f9e - sha256:71e36defd8a00ba61031bffd51f3fbb35685394312ca2ba6f5bc0dd7807a0d22
ER-e100.v2.0.6.5208553.tar  - md5:233cbd0968c3be078f894e208d9c55f9 - sha256:bba75211f683a19540a69ab12289c656c0036c9c245781ee92a725d673c39599
ER-e200.v2.0.6.5208554.tar  - md5:84c4fb188eacb7c200d46c392bff1aae - sha256:bc2a50a2bb10c22c4cfc421c73b2095678edc246cc0b1ebb4641e0759b22498d
ER-e300.v2.0.6.5208554.tar  - md5:e58cf1d62b2a428e0df1a31b24ce9d69 - sha256:4231f221a2b5f22cf6b453e7a91c6e65564465f63971084f3a6aad4ffff36d82
ER-e1000.v2.0.6.5208554.tar - md5:346a9372783fb35c0e3f560bba1f783c - sha256:918874d6abc39336533fbc161ac948edd55740b84ff2903fae35b1c11d168818

The ER-X/ER-X-SFP/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using "delete system image" CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thanks very much!

New features

• [UNMS] - Add support for UNMS v1.0

Improvements

• [Dnsmasq] - Improve speed of dnsmasq initial configuration during boot.
• [FactoryReset] - Add eth9 LED blinking when doing factory reset on ER-10X.
• [TechSupport] - Add more IPSec info to tech-support file.
• [Bootloader] - Upgrade bootloader automatically for those ERs that have backup bootloader partition (ER-8, ERPro-8, ER-8-XG).

Bugfixes

• [Offloading] - Fix bug that caused Qos/Netflow malfunction when offloading was enabled.
• [LLDP] - Fix regression in v2.0.1 when interfaces of switch ports did not transmit LLDP frames. Discussed here.
• [IPv6] - Add config validation that forbids simultaneous use of dhcpv6 and dhcpv6-pd. Discussed here.
• [Discovery] - Fix bug when UBNT discovery did not work if UNMS was configured.
• [UPnP] - Fix bug when UPnP rules were not properly flushed by "clear upnp2 rules" CLI command. Discussed here.
• [Offloading] - Fix bug when syslog&console were filled with "protocol 0800 is buggy" error messages if gre offloading was enabled. Discussed here and here.
• [SFP] - Fix bug when SFP status sometimes disappeared when SFP module was inserted. Discussed here and here.
• [Switch] - Fix regression in v2.0.0 when counters of switch0 were not incremented on ER-12/ER-12P. 
• [Switch] - Fix potential packet leaking issue after detaching interface from switch0.
• [Interface] - Fix bug when interfaces counters added in switch0 didn't get updated on ER-10X.
• [Security] - Fix bug when ER could be DOSed by opening unauthenticated WebGUI session that would lead to resource consumption.
• [Boot] - Disable interactive prompt when installing new packages from "/config/data/firstboot/install-packages". Discussed here.

Known issues

• [Performance] - Throughput degradation by 5-10% when comparing with v1.10.9 firmware with older kernel.
• [Offloading] - IPsec and VLAN offloading on ER-X/ER-X-SFP and EP-R6 does not work yet.
• [VPN] - L2TP remote access VPN does not work with Android6/7 L2TP clients (but works with Android9 client).
• [LoadBalancing] - On ER-X LoadBalancing sometimes fails to recover after switching to failover interface.
• [WebGUI] - Sometimes statistics in WebGUI is "freezing" and page refresh is needed in order to wake it up.
• [DPI] - Sometimes DPI is reporting wrong rx/tx counters.

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.

Checksum

ER-e50.v2.0.4.5199165.tar   - md5:84116c2bda2181f1aea17845462aeba1 - sha256:a84c43f791ec06dc51dde9fb0fc354f730f2bffed49c03ba5b6fa57ee7aa7607
ER-e100.v2.0.4.5199165.tar  - md5:78da95941df2f489ceb345eb74a3b454 - sha256:a9d274cff247f26af3b3b037b718aaa0be42a6e88463be427c382064c00914c4
ER-e200.v2.0.4.5199165.tar  - md5:dc5c07c5039fdad4a7462bb47c90ce48 - sha256:8e1deec2d86faa5e5616548b635c4ee8505073d2429be5759f572694f268b230
ER-e300.v2.0.4.5199165.tar  - md5:5b13eb02ca58abec52d71089ff69ff50 - sha256:e088a9a9ed556c9b432c1afc1c1ff1cfe75a921f60f1468a9f64551d3cc9dd7a
ER-e1000.v2.0.4.5199165.tar - md5:2f18c5a9a9e39e0ff54c61c0653d80d4 - sha256:17a3b1a3d7ccdbd94128c51d45fa8ecb687839b572cb0048c882da9b68454afe