Does anybody know if RouterOS is affected by the Heartbleed vulnerability in OpenSSL and if so when it will be patched?

I presume that RouterOS uses OpenSSL for its encryption in for example SSTP VPN.

Quote from some time ago:

We don't use GnuTLS. We use OpenSSL which has no such problems

http://demo2.mt.lv/help/license.html

Seems like it's vulnerable.

I asked about this issue in ticket #2014040866000258 as soon as I became aware of the vulnerability.

I will update back here when I hear anything from MikroTik.

ALL prior RouterOS releases (6.11 and older) are not affected by this vulnerability as older OpenSSL library where used.

In addition RouterOS 6.12 will have new OpenSSL library that has this vulnerability resolved.


Edited for clarity.

Does this mean 6.x have the vulnerability and 5.x don't?

[quote] all prior RouterOS releases are not affected by this issue as older OpenSSL libraries where used.
6.12 will have newer OpenSSL with this vulnerability patched. [/quote]

Is Router OS 6.x effected or not? And if so, where can I download Version 6.12 ?

I was told that:

all current released RouterOS versions are not affected by this issue. 6.12 will
have newer OpenSSL with this problem patched.

my post in this thread was edited for clarity.

So, neither already released RouterOS versions is affected by this vulnerability. Not 6.x. Not 5.x.

And starting 6.12 we will have updated OpenSSL library that is not affected by it.

So, neither if already released RouterOS versions is affected by this vulnerability. Not 6.x. Not 5.x.

Wow! At least as far as this vulnerability is concerned, that was some "The Matrix" style bullet dodging! Great job Neo... I mean, MikroTik.

[url=http://forum.mikrotik.com/viewtopic.php ... 18#p420218]And starting 6.12 we will have updated OpenSSL library that is not affected by it.

Does this mean that we will see TLS 1.2 support in 6.12?