Comments (5)
cryptofuture
commented on June 2, 2024
Thanks, would switch when I would be able to update.
from nginx-hda-bundle.
jhiswin
commented on June 2, 2024
Thanks, would switch when I would be able to update.
https://github.com/google/brotli#security-note
Version 1.0.9 contains a fix to "integer overflow" problem.
This should be an emergency security update shouldn't it? The eustas repo uses brotli 1.0.7, while 1.0.9 contains the patch for the known integer overflow exploit? Best you can do is probably sneak a DoS in somehow, but who knows if someone might find a way to actually exploit it, and a possibility of a DoS being snuck in is still a critical update?
(Sidenote: looks pretty exploitable to me. Surprised there isn't a worm by someone clever using it yet, since so many people are using the outdated brotli)
from nginx-hda-bundle.
cryptofuture
commented on June 2, 2024
@jhiswin I abandoned the repo and launchpad unfortunately
#44
from nginx-hda-bundle.
jhiswin
commented on June 2, 2024
[PPA was taken down and packages disappeared. Might have been an impersonator, purposely setting up packages in a way to make it seem like the only choice was to use broken packages with security exploits in it and setting up broken binaries. What a jerk.]
Who is updating the packages? The PPA was just updated a week ago wasn't it?
Did someone else take over? Because it's still described as being associated with your website and e-mail, gives the appearance that it is security oriented, while still incorporating a known flawed library. And is cascading the flawed library into other projects.
It's a problem, because not only are a lot of people still using the PPA, but there are other PPAs directly using your ngx-brotli as a module and pulling the insecure brotli in with it.
And additionally there are a lot of nginx binaries that are all using the old brotli in the same way as your repo, as if taking it by example.
I'd contact the guy with the outdated brotli module, but he archived the repo. There should at least be some kind of visible warning that the module has a known flaw in it.
from nginx-hda-bundle.
cryptofuture
commented on June 2, 2024
Did someone else take over? Because it's still described as being associated with your website and e-mail, gives the appearance that it is security oriented, while still incorporating a known flawed library. And is cascading the flawed library into other projects.
Mine PPAs are only under:
https://launchpad.net/~hda-me/
Didn't found anyone to co-maintain unfortunately since #44
from nginx-hda-bundle.
Related Issues (20)
- TLSv1.3 support HOT 3
- Load dynamic modules and enable Brotli HOT 8
- disabling TLS v1.0 HOT 1
- 502 Bad Gateway on Incognito
- nginx-module-brotli depends on older nginx on Ubuntu 18.04 HOT 3
- this nginx version is outdated and dangerous. Got DoS attacked! HOT 4
- What prevents from update right now
- GeoIP 2 HOT 4
- nginx 1.15.11 HOT 1
- nginx 1.17.0 HOT 3
- nginx 1.17.1 HOT 6
- How i can build it? HOT 1
- Update NGINX to 1.17.3 HOT 2
- How to implement a ModSecurity module? HOT 1
- Support ngx_http_proxy_connect_module HOT 9
- Module request: nginx-http-rdns
- Unable to install latest nginx with modules
- Installation Fails on Ubuntu Focal Fossa HOT 1
- Looking for co-maintainers HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-hda-bundle.