from Hacker News

Nginx Security Advisory

by TimWolla on 2/14/24, 6:53 PM with 25 comments

  • by sschueller on 2/14/24, 7:07 PM

    Interesting, this is just an hour before the core dev quit because of disagreements on how security is managed at F5.

    https://news.ycombinator.com/item?id=39373327

  • by tristor on 2/15/24, 12:12 AM

    This seems like mostly a non-issue, since this module isn't compiled by default. I guess it's good to fix it regardless, but it seems unnecessary to issue a security advisory/CVE for this. HTTP/3 is an experimental feature in nginx that isn't built by default and isn't included in most distribution builds.

  • by geocrasher on 2/14/24, 7:25 PM

    Still being investigated apparently. From what's known, they haven't been labeled as RCE's at least.

  • by will_wright on 2/14/24, 11:33 PM

    I'm a novice at nginx and using modules. how do I figure out if the nginx docker images that I use are effected by this? it looks like the default image uses `debian:bookworm-slim`. is it safe to assume that the compiled version in that upstream image isn't using any additional modules?

    > The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file.

  • by mise_en_place on 2/14/24, 9:02 PM

    Will this affect http/2 as well?