What’s new in 6.37.5 (2017-Mar-09 11:54):

!) www – fixed http server vulnerability; This is presumably the fix for the CIA Hive Exploit in the Mikrotik httpd implementation
*) chr – fixed problem when transmit speed was reduced by interface queues;
*) dhcp – do not listen on IPv4/IPv6 client to IPv6 MLD packets;
*) dude – (changes discussed here: https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/dude_v6.xx_changelog);
*) export – do not show “read-only” IRQ entries;
*) filesystem – implemented procedures to verify and restore internal file structure integrity upon upgrading;
*) firewall – do not allow to set “time” parameter to 0s for “limit” option;
*) firewall – fixed import of exported configuration that had updated “limit” setting;
*) graphing – fixed graphing crash when high amount of traffic is processed;
*) hotspot – fixed rare kernel crash on multicore systems;
*) hotspot – fixed redirect to URL where escape characters are used (requires newly generated HTML files);
*) hotspot – show Host table commentaries also in Active tab and vice versa;
*) interface – do not treat multiple zeros as single zero on name comparison;
*) irq – properly detect all IRQ entries;
*) l2tp-client – fixed IPSec policy generation after reboot;
*) lcd – show fan2 speed only if it is available;
*) leds – fixed defaults for RBSXT5HacD2nr2;
*) mmips – improved general stability;
*) rb3011 – fixed noise from buzzer after silent boot;
*) switch – fixed crash when trying to configure second master port on the same chipset (RB3011, RB2011, CCR1009-8G-1S+);
*) userman – allow access to User Manager users page only through “/user” URL;
*) userman – show warning when no users are selected for CSV file generation;
*) winbox – added “add-relay-info” and “relay-info-remote-id” to DHCP relay;
*) winbox – added H flag to “/ip arp” ;
*) winbox – added missing “use-fan2” and “active-fan2” to “/system health”;
*) winbox – allow shorten bytes to k,M,G in bridge firewall just like in “/ip firewall”;
*) winbox – do not hide “power-cycle-after” option;
*) winbox – do not hide 00:00:00:00:00:00 MAC address in unpublished ARPs;
*) winbox – fixed matching “connection-state=untracked” connections;
*) winbox – fixed typo in “/system resources pci” list;
*) winbox – hide advertise tab in Hotspot user profile configuration if “transparent-proxy” is not enabled;
*) winbox – make “power-cycle-after” show correct value;
*) winbox – make “power-cycle-interval” not to depend on “power-cycle-ping-enabled” in PoE settings;
*) winbox – properly show BGP communities in routing filters table filter;
*) wireless – fixed scan tool stuck in background;
*) wireless – improved compatibility with Intel 2200BG wireless card;
*) wireless – update Thailand country frequency settings;

What’s new in 6.38.5 (2017-Mar-09 11:32):

!) www – fixed http server vulnerability;

What’s new in 6.39rc49 (2017-Mar-09 12:33):

!) www – fixed http server vulnerability;
*) capsman – improved CAP status querying;
*) defconf – fixed default configuration generation when wireless package is disabled;
*) ike2 – check child state before allowing rekey;
*) ike2 – send EAP identity as user-name RADIUS attribute;
*) lte – added LTE signal level reading for Cinterion modems;
*) queue – fixed reboot loop when queues were used (introduced in 6.39rc42);
*) rb3011 – added partitioning support;
*) tr069-client – added “Device.Hosts.Host.{i}.” support;Glad to see they are still thinking about this – I see potential for sure.
*) userman – fixed rare crash when User Manager requested file does not exist on router;
*) wireless – fixed RBSXT5HacD2nr2 small channel support;

v6.37.5 forum topic discussion:
https://forum.mikrotik.com/viewtopic.php?f=21&t=119373

v6.38.5 forum topic discussion:
https://forum.mikrotik.com/viewtopic.php?f=21&t=119302

v6.39rc49 forum topic discussion:
https://forum.mikrotik.com/viewtopic.php?f=21&t=116357