That's normal standard from Mikrotik when they are faced with a problem to resolve
That is not true at all! We have always reacted to issues quickly, all the previous vulnerabilities have been fixed within hours or days time.
Even in this case, we did reproduce and acknowledge the issue. In this case though, the cause is very low level and is not simple to fix. The person who submitted it, has given a publication date. We have therefore a target date before which the issue must be fixed. In fact, most CVE reports have a release date set, before which the software company can fix the issue. The date has not yet come to pass.
You've had close to a year to work on a fix...
The matter way reported to you last year but from what I am seeing, you did not do much about it and it's only since the threat of Mikrotik being "outed" on a live stream that can be seen around the world, that you are doing something about it.
What if some kid who can't get a date on a Saturday night figures this out by himself and starts letting his or her script loose before 9 April, "just because they can" ?
This is a very serious issue that needs to be addressed as a matter of urgency. There are ISPs out there with tens of thousands of routers that need to be patched. It takes us between a week and 10 days to roll a RouterOS update out over our network. We have less than 10,000 customers. How is a company with 50,000 hAPs in the field going to do this within the time frame?
On 2 April I have two choices:
Either roll out a patch, or
/sy package print
/sy package disble ipv6
I run what could very well be the largest IPv6 network in South Africa. Disabling IPv6 would be very unfortunate. We're already not using Mikrotik for new wireless installationsd. It would be sad if we also stopped using Mikrotik for routing.