This seems like mostly a non-issue, since this module isn't compiled by default. I guess it's good to fix it regardless, but it seems unnecessary to issue a security advisory/CVE for this. HTTP/3 is an experimental feature in nginx that isn't built by default and isn't included in most distribution builds.
Still being investigated apparently. From what's known, they haven't been labeled as RCE's at least.
I'm a novice at nginx and using modules. how do I figure out if the nginx docker images that I use are effected by this? it looks like the default image uses `debian:bookworm-slim`. is it safe to assume that the compiled version in that upstream image isn't using any additional modules?
> The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file.
Will this affect http/2 as well?
Interesting, this is just an hour before the core dev quit because of disagreements on how security is managed at F5.
https://news.ycombinator.com/item?id=39373327