This seems like mostly a non-issue, since this module isn't compiled by default. I guess it's good to fix it regardless, but it seems unnecessary to issue a security advisory/CVE for this. HTTP/3 is an experimental feature in nginx that isn't built by default and isn't included in most distribution builds.
I'm a novice at nginx and using modules. how do I figure out if the nginx docker images that I use are effected by this? it looks like the default image uses `debian:bookworm-slim`. is it safe to assume that the compiled version in that upstream image isn't using any additional modules?
> The issues affect nginx compiled with the ngx_http_v3_module (not
compiled by default) if the "quic" option of the "listen" directive
is used in a configuration file.
The official nginx docker images ship with HTTP3 module enabled - and we have released the updated ones earlier today - so please update to stay secure.
You can also launch something like:
$ docker run -ti --rm nginx:latest nginx -V
to check which modules are compiled in to the binary you're running.
sschueller|2 years ago
https://news.ycombinator.com/item?id=39373327
the_mitsuhiko|2 years ago
justsomehnguy|2 years ago
tristor|2 years ago
geocrasher|2 years ago
k00shball|2 years ago
will_wright|2 years ago
> The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file.
thresh|2 years ago
The official nginx docker images ship with HTTP3 module enabled - and we have released the updated ones earlier today - so please update to stay secure.
You can also launch something like: $ docker run -ti --rm nginx:latest nginx -V
to check which modules are compiled in to the binary you're running.
Thanks!
mise_en_place|2 years ago
k00shball|2 years ago