
A closer look at recent HTTP/2 vulnerabilities affecting Kubernetes and others - rwestergren
https://randywestergren.com/a-closer-look-at-recent-http-2-vulnerabilities-affecting-k8s-and-other-implementations/
======
deathanatos
CVE writers make me cry sometimes. The original advisory is incredibly light
on details, like, what software actually has the bug. The CVEs themselves also
fail to adequately describe _what_ is vulnerable. E.g., CVE-2019-9516
“0-Length Headers Leak”, the CVE implicates "Ubuntu". Ubuntu (probably) can't
be vulnerable to this CVE, some piece of software _on_ Ubuntu must be; and
indeed clicking through to the USN shows that it's nginx. But then, why only
single out Ubuntu, Debian and Fedora? Surely the others are equally
vulnerable?

It was the same way w/ the recent VLC vuln. where the researcher just kinda
dumped an ASan output into a bug tracker and "I has a working exploit" and _no
additional details_.

~~~
faeyanpiraat
They might just want to get it out the door asap, so that mitigation efforts
could start sooner.

------
delta1
Off topic: is it common to hot-link images away from your own site to (in this
case) imgur.com ?

On a corporate network it means I can read the post, but not see the blocked
images.

Is it just for the author to save bandwidth on - what appears to be - a
wordpress site?

~~~
yoru-sulfur
I've seen it done, but you're not supposed to.

From Imagurs TOS[1]: "...Also, don't use Imgur to host image libraries you
link to from elsewhere, content for your website, advertising, avatars, or
anything else that turns us into your content delivery network."

[1] [https://imgur.com/tos](https://imgur.com/tos)

~~~
rwestergren
Good point, along with the blocking on many corporate networks. Fixed!

