I ended up replacing an Asus router because they were still using 3.14 with no upgrade planned The issue is vendor closed source blobs On Sun, Sep 3, 2023, 7:04 PM Dave Taht via Cerowrt-devel < cerowrt-devel@lists.bufferbloat.net> wrote: > The qsdk is on openwrt 15. > > On Sun, Sep 3, 2023 at 9:51 AM Philip Prindeville > wrote: > > > > Hi all, > > > > As we work on the 23.05 release, I was stunned to receive a Mofi > MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my > Unlimitedville enrollment. > > > > I thought, "wow, this must have been sitting in a warehouse a while! > I'd better update it." So I went to the company's support site, grabbed > the latest image, flashed it, rebooted and... still running 14.07. > > > > For those of you too young to remember, Barrier Breaker was released > 10/2014 and included the 3.10.14 kernel (released 6/2013). > > > > How is this not cyber security malpractice? A firewall is your first > line of defense against cyber attacks. If your firewall has long known, > well documented vulnerabilities and exploits, you might as well not have a > firewall at all. > > > > I wrote them asking why there wasn't a more recent, more secure release > of the firewall firmware and this was their response: > > > > > > > Dear Philip, > > > You dint seem to know what you are talking about and should leave > software to Profesionals like us and relax > > > > > > I hope that most of the companies that use our software are more > diligent, and don't incur repetitional damage to our efforts by continuing > to ship EOL firmware. > > > > I get that not every company has kernel developers in-house, and > frankly, providing an updated kernel release for their SoC is the > manufacturer's responsibility, and MediaTek has not been responsive in this > respect (for the longest time they were shipping a 2.6.36 SDK!). Some of > the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or > their ODM partners have the option to hold their feet to the fire and make > orders contingent on updated SDK's... I doubt that Mofi does the sort of > volume that gives them any leverage. > > > > But I regress. > > > > Class Action suits are becoming more prevalent with computer and > networking equipment manufacturers, as the public becomes aware of the > increasing cyber security threats as well as manufacturers' implied > responsibility to address vulnerabilities in a timely fashion as they > become aware of them. > > > > I'm calling this out because I honestly hope it's the far outlier in our > ecosystem, and not the rule. > > > > Sadly, > > > > -Philip > > > > > > _______________________________________________ > > openwrt-devel mailing list > > openwrt-devel@lists.openwrt.org > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > > -- > Oct 30: > https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html > Dave Täht CSO, LibreQos > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel >