[HN Gopher] Nginx Security Advisory
___________________________________________________________________
Nginx Security Advisory
Author : TimWolla
Score : 91 points
Date : 2024-02-14 18:53 UTC (4 hours ago)
(HTM) web link (mailman.nginx.org)
(TXT) w3m dump (mailman.nginx.org)
| sschueller wrote:
| Interesting, this is just an hour before the core dev quit
| because of disagreements on how security is managed at F5.
|
| https://news.ycombinator.com/item?id=39373327
| justsomehnguy wrote:
| Thanks. Guess we are in some interesting times, again.
| the_mitsuhiko wrote:
| And to be clear, the disagreement appears to be that he did not
| want the CVE to be assigned.
| ArchOversight wrote:
| This has been an issue in the past, where NGINX disagreed
| with a CVE being assigned, but a CVE is the easiest way to
| get a vulnerability fixed across the ecosystem and in the
| distributions that distribute NGINX.
|
| Each time something is silently fixed it takes much longer
| and is much harder to actually get the fix
| approved/backported/whatever is necessary to get it fixed.
| KomoD wrote:
| source?
| kayfox wrote:
| https://news.ycombinator.com/item?id=39374312
|
| MegaZone is part of the F5 Security Incident Response Team.
| dsr_ wrote:
| And just so that he doesn't have to explain it: yes, it's
| his legal name, and yes, it's a mononym.
|
| Source: we were coworkers before F5.
| geocrasher wrote:
| Still being investigated apparently. From what's known, they
| haven't been labeled as RCE's at least.
| mise_en_place wrote:
| Will this affect http/2 as well?
| k00shball wrote:
| This is limited to just HTTP/3.
___________________________________________________________________
(page generated 2024-02-14 23:00 UTC)