view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
https://fieldeffect.com/blog/mikrotik-devices-risk-super-admin-elevation-flaw
https://thehackernews.com/2023/07/critical-mikrotik-routeros.html?m=1
https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/
Wow you found three different articles, all about the same CVE, that the manufacture published a firmware patch for before any public disclosure was made. That’s definitely just as bad as pretending you don’t know about CVEs in your products lol.
Yeah they definitely could have been quicker with the patches but as long as the patches come out before the articles they are above average with how they handle CVE's, way too many companies out there just not giving a shit whatsoever.
They were pretty quick for the stable branch, so I guess the miss is prioritizing it for LTS. But if it's just the one time, I'm completely fine with that.
So first of all I see no point in sharing multiple articles that contain the same copy-pasted info, one of those would have been enough. That aside, again, patches were made available before the vulnerability was published and things like MikroTik not pushing Updates being arguably more of a feature since automatic updates cause network downtime via a reboot and that would be somewhat problematic for networking equipment. Could they have handled that better? Yes, you can almost always handle vulnerabilities better but their handling of it was not so eggregious as to warrant completely avoiding them in the future.
Well because one is WAY WORSE than the other, and the response of commitment is way different. You're just plain wrong.
If I buy a switch and that thing decides to give me downtime in order to auto update I can tell you what lands on my blacklist. Auto-Updates absoultely increase security but there are certain use cases where they are more of a hindrance than a feature, want proof? Not even Cisco does Auto-Update by default (from what I've managed to find in this short time neither does TrendNet which you've been speaking well of). The device on its own deciding to just fuck off and pull down your network is not in any way a feature their customers would want. If you don't want the (slight) maintenance load that comes with an active switch do not get one, get a passive one instead.
My dude. You are not a serious person. I’m blocking you so I don’t waste my time with you in the future. Enjoy your life I guess.