search

cryptofuture / nginx-hda-bundle

Nginx HDA Bundle - Dynamic Modules Power
https://launchpad.net/~hda-me/+archive/ubuntu/nginx-stable
81 stars 11 forks source link

Switch brotli repo #42

Open willstocks opened 4 years ago

willstocks commented 4 years ago

Hi guys, I noticed that this is still using https://github.com/eustas/ngx_brotli which is no longer actively developed. The submodule should be switched over to https://github.com/google/ngx_brotli to make use of active development/changes

cryptofuture commented 4 years ago

Thanks, would switch when I would be able to update.

jhiswin commented 3 years ago

Thanks, would switch when I would be able to update.

https://github.com/google/brotli#security-note

Version 1.0.9 contains a fix to "integer overflow" problem.

This should be an emergency security update shouldn't it? The eustas repo uses brotli 1.0.7, while 1.0.9 contains the patch for the known integer overflow exploit? Best you can do is probably sneak a DoS in somehow, but who knows if someone might find a way to actually exploit it, and a possibility of a DoS being snuck in is still a critical update? (Sidenote: looks pretty exploitable to me. Surprised there isn't a worm by someone clever using it yet, since so many people are using the outdated brotli)

cryptofuture commented 3 years ago

@jhiswin I abandoned the repo and launchpad unfortunately https://github.com/cryptofuture/nginx-hda-bundle/issues/44

jhiswin commented 3 years ago

[PPA was taken down and packages disappeared. Might have been an impersonator, purposely setting up packages in a way to make it seem like the only choice was to use broken packages with security exploits in it and setting up broken binaries. What a jerk.]

Who is updating the packages? The PPA was just updated a week ago wasn't it? Did someone else take over? Because it's still described as being associated with your website and e-mail, gives the appearance that it is security oriented, while still incorporating a known flawed library. And is cascading the flawed library into other projects.

It's a problem, because not only are a lot of people still using the PPA, but there are other PPAs directly using your ngx-brotli as a module and pulling the insecure brotli in with it. And additionally there are a lot of nginx binaries that are all using the old brotli in the same way as your repo, as if taking it by example.

I'd contact the guy with the outdated brotli module, but he archived the repo. There should at least be some kind of visible warning that the module has a known flaw in it.

cryptofuture commented 3 years ago

Did someone else take over? Because it's still described as being associated with your website and e-mail, gives the appearance that it is security oriented, while still incorporating a known flawed library. And is cascading the flawed library into other projects.

Mine PPAs are only under: https://launchpad.net/~hda-me/

Didn't found anyone to co-maintain unfortunately since #44