view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Can you elaborate on how their response was lacking? From what I found the stable branch had a patch for that vulnerability available for several months before the first report while the lts branch had one available a week before the first article (arguably a brief period to wait before releasing news about the vulnerability but not unheard of either).
MikroTik also offers a 2 year warranty since they legally have to, no idea what you're on about there. Also also not sure what you think they sell other than networking because for the life of me I can't find anything other than networking related stuff on their website.
Yeah I’ve worked at WISPs that were pushing TBs through their core routers every day. Those core routers? Mikrotiks. Every apartment buildings core routers and fiber aggregation switches? Mikrotiks. You had to get down to the access layer switches that fed the individual apartments to hit Cisco equipment.
This person is just repeating some shit they read somewhere, hoping it makes them sound knowledgeable. In another post they’re recommending trendnet shit. Get back to me when you can set up BGP peering on your trendnet lol.
https://fieldeffect.com/blog/mikrotik-devices-risk-super-admin-elevation-flaw
https://thehackernews.com/2023/07/critical-mikrotik-routeros.html?m=1
https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/
Wow you found three different articles, all about the same CVE, that the manufacture published a firmware patch for before any public disclosure was made. That’s definitely just as bad as pretending you don’t know about CVEs in your products lol.
Yeah they definitely could have been quicker with the patches but as long as the patches come out before the articles they are above average with how they handle CVE's, way too many companies out there just not giving a shit whatsoever.
They were pretty quick for the stable branch, so I guess the miss is prioritizing it for LTS. But if it's just the one time, I'm completely fine with that.
So first of all I see no point in sharing multiple articles that contain the same copy-pasted info, one of those would have been enough. That aside, again, patches were made available before the vulnerability was published and things like MikroTik not pushing Updates being arguably more of a feature since automatic updates cause network downtime via a reboot and that would be somewhat problematic for networking equipment. Could they have handled that better? Yes, you can almost always handle vulnerabilities better but their handling of it was not so eggregious as to warrant completely avoiding them in the future.
Well because one is WAY WORSE than the other, and the response of commitment is way different. You're just plain wrong.
If I buy a switch and that thing decides to give me downtime in order to auto update I can tell you what lands on my blacklist. Auto-Updates absoultely increase security but there are certain use cases where they are more of a hindrance than a feature, want proof? Not even Cisco does Auto-Update by default (from what I've managed to find in this short time neither does TrendNet which you've been speaking well of). The device on its own deciding to just fuck off and pull down your network is not in any way a feature their customers would want. If you don't want the (slight) maintenance load that comes with an active switch do not get one, get a passive one instead.
My dude. You are not a serious person. I’m blocking you so I don’t waste my time with you in the future. Enjoy your life I guess.