The most recent “security advisory” was released despite the fact
that the particular bug in the experimental HTTP/3 code is
expected to be fixed as a normal bug as per the existing security
policy, and all the developers, including me, agree on this.
And, while the particular action isn’t exactly very bad, the
approach in general is quite problematic.
I read something about this the other day, but I’m having trouble wrapping my head around it.
http://freenginx.org/pipermail/nginx/2024-February/000007.html
I read something about this the other day, but I’m having trouble wrapping my head around it.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24989 https://my.f5.com/manage/s/article/K000138444 https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html
This seems to have the best discussion I’ve found:
https://news.ycombinator.com/item?id=39373612
Thank you.