XMPP Service Operators

moparisthebest 04:48:37.068351
unauthenticated RCE in nginx, upgrade immediately https://depthfirst.com/nginx-rift
😭 1
icebound.dev 12:04:26.035757
> unauthenticated RCE in nginx, upgrade immediately https://depthfirst.com/nginx-rift was this also found by anthropics new toy? ↺
icebound.dev 12:09:04.236080
Debian doesn't appear to have pushed a DSA for this yet...
icebound.dev 12:09:51.476547
https://app.opencve.io/cve/CVE-2026-42945 checking the CVE info, anything below 1.31.0 is vulnerable, Arch Linux updated the package, but Debian is still sitting at 1.26.3
Sunglocto (sunglocto.net) 12:13:01.757364
icebound.dev: https://archlinux.org/packages/extra/x86_64/nginx/ shows nginx at 1.30.1-1
Sunglocto (sunglocto.net) 12:13:24.103729
hmm actually that package seems to have been updated yesterday
icebound.dev 12:16:01.103353
Sunglocto (sunglocto.net), oh I must have misread the version... okay then Arch is vulnerable too :p
icebound.dev 12:16:20.379369
all the right numbers are in the string, just not in the right order >:)
icebound.dev 12:16:36.295095
good thing OpenBSD httpd isn't affected, like usual :p
moparisthebest 13:07:33.112513
nope arch is all good (I upgraded before I posted) that's the fixed version
icebound.dev 14:26:35.394973
moparisthebest, yeah sorry I missed the constaint < 1.30.1
icebound.dev 14:26:40.700992
1.31.0 is also good
icebound.dev 14:26:53.423787
iirc 1.31.0 is nginx-mainline and 1.30.1 is nginx
icebound.dev 14:27:01.286824
hence the confusion, apologies
AZERTY keyboard [admin@copper9.host.planetofnix.com] 17:14:56.354118
> good thing OpenBSD httpd isn't affected, like usual :p hell ye ↺