this post was submitted on 15 Feb 2024
2 points (100.0% liked)

Open Source

31243 readers
261 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 9 months ago* (last edited 9 months ago) (2 children)
  1. I'm glad we agree a DoS is a vulnerability.
  2. CVE best practices state that CVEs are required to be assigned to experimental features. F5's company policy is that CVE best practices are followed. F5 is the company that owns nginx. Therefore, it was required. Nice 'legal requirement' strawman. Also, 'Common' in this situation is not defined as 'Widespread; prevalent,' it's defined as 'Of or relating to the community as a whole; public.'
  3. That was a typo regarding 'stable,' my bad. I meant to say 'It is just not available on stable, but is both via commercially and via the open source version.' However, it's still available on commercial versions and open source, and 'non-stable' versions are not inherently unstable, they're just called 'mainline'. Proof: https://nginx.org/en/download.html Stable is basically just 'long term support/LTS' versions of nginx.
  4. Again, you are intentionally misusing the definitions of the word common. Lets see what MITRE has to say about it, hmm?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE's common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization's security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

Source: https://cve.mitre.org/about/

  1. Yes, I would consider notifying the development mailing list as 'quietly' fixing it, as most all companies using it will not be on the development mailing list. It's meant to be an area for developers to discuss things. They didn't inform the public, they informed the devs.
  2. Where are you getting database from? You've randomly pivoted into talking about database transactions then started babbling about how you somehow think using a production mainline release with production options on a fully supported commercial binary is somehow inherently unsafe, as though it wouldn't still be in dev or test.

Since you seem to have no idea about how web servers work, or indeed, experimental features, I'll let you in on a secret- The only difference between a non-experiemntal option in nginx and an experimental option is that they're unsure if they want that feature in nginx, and are seeing how many people are actually using it/interested in, or they think that usage patterns of the feature might indicate another, better method of implementation. "Experimental" does not mean "unfinished" or "untested."

If you know nothing about programming, CVEs, or even web engines, please stop embarrassing yourself by trying to trumpet ill-thought out bad takes on subjects you don't understand.

[–] [email protected] 0 points 9 months ago (1 children)

Please don’t complain to us mod/admins about someone making things personal, when you’re the one calling someone a liar and a know-knowing about their field of work.

[–] [email protected] 0 points 9 months ago

Really dude? I never once devolved to name calling, I stated that he lied when he made false statements. What else am I supposed to say there?

How is saying he doesn't know what the subject matter he's taking a stance on a personal attack either? He's straight up said he doesn't know what a CVE is, he doesn't know what experimental means, and while he claims to be in this field of work, he doesn't know what a web worker is and confused a web transaction with a database transaction.

Sure, I could have been nicer about it, but I never made it personal.

[–] [email protected] 0 points 9 months ago

Dude, can you be less rude? Calling me a liar, without point out a lie. At best, you found a misunderstanding of cve on my end which wouldn't be a lie and isn't in the part that you called a lie. Also I don't think that there was a misunderstanding on my end of what cve means. Then you call me basically a clueless idiot for not having a clue about web servers. While I actually currently am working for a multi billion dollars companies as a backend dev and never worked anything but web dev. Then you complain about a straw man when you don't bother to express what your actual argument was and I had to guess.

You might realize that I am not bothering to argue your points, there is a simple reason why, you are being a dick. Make your points clearly like you did just a moment ago and don't be rude while doing it and you get an interesting conversation.

In case, you are curious, I am actually rather neutral on whether or not, it should be cves. I see the devs reasons and think they are reasonable and I understand why f5 would report it. A new fork seems to be an overreaction though. I bet you didn't expect me to hold this position because you were busy being a dick instead of having a conversation