Hacker News new | ask | show | jobs
by d_meeze 1777 days ago
Burying the lede... Unfortunately, at the time of this whitepaper being published - 86 days after Apache was notified of the vulnerability - 2.4.49 not yet come out, so although there's a patch on master, this is effectively a zero-day.
1 comments
slivanes 1777 days ago
I'm not seeing anything about this in nginx changelogs (or matching CVE's) either. Disabling http2 for now.
link
yxhuvud 1777 days ago
Why would an Apache bug show up in Nginx changelogs?
link
masklinn 1777 days ago
It would not, but given how widespread this issue is it seems likely nginx is vulnerable, and sensible to assume it is unless otherwise demonstrated.

It’s not like the feature is super useful in general.

link