This has been an issue in the past, where NGINX disagreed with a CVE being assigned, but a CVE is the easiest way to get a vulnerability fixed across the ecosystem and in the distributions that distribute NGINX.
Each time something is silently fixed it takes much longer and is much harder to actually get the fix approved/backported/whatever is necessary to get it fixed.
This seems like mostly a non-issue, since this module isn't compiled by default. I guess it's good to fix it regardless, but it seems unnecessary to issue a security advisory/CVE for this. HTTP/3 is an experimental feature in nginx that isn't built by default and isn't included in most distribution builds.
I'm a novice at nginx and using modules. how do I figure out if the nginx docker images that I use are effected by this? it looks like the default image uses `debian:bookworm-slim`. is it safe to assume that the compiled version in that upstream image isn't using any additional modules?
> The issues affect nginx compiled with the ngx_http_v3_module (not
compiled by default) if the "quic" option of the "listen" directive
is used in a configuration file.
The official nginx docker images ship with HTTP3 module enabled - and we have released the updated ones earlier today - so please update to stay secure.
You can also launch something like:
$ docker run -ti --rm nginx:latest nginx -V
to check which modules are compiled in to the binary you're running.
https://news.ycombinator.com/item?id=39373327