- cross-posted to:
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
Update your nginx instances
cross-posted from: https://lemmy.world/post/46851448
- Affected an non-affected versions https://nginx.org/en/security_advisories.html
- CVE record https://www.cve.org/CVERecord?id=CVE-2026-42945
- CVE details https://nvd.nist.gov/vuln/detail/CVE-2026-42945
- PoC https://github.com/DepthFirstDisclosures/Nginx-Rift
CVE - Common Vulnerabilities and Exposures system
RCE - Remote Code Execution
PoC - Proof of Concept
It’s days like this where I’m happy I’m unemployed. I have a group chat with a few friends and they’re pushing out patches and it’s a bit of a rush.
All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It’s rare I need to step in and fix something. I checked a few hours ago and I’m not at risk.
Your friends should do a PoC before they rush to fix random bugs that ostensibly have a high severity.
You should tell that on your group chat. Motruck says you need to slow down and stop jumping at high severity but low exploitabile trash.
not the flex you think it is.
didn’t npm have a worm problem a few days ago?
Yep. I wasn’t affected thankfully. Didn’t realise I was flexing, sorry. Just happy most of my stack is automated and it’s quite low maintenance at this point.
Where do I draw the line then? Serious question. If updating every couple hours is bad, then what’s safe?
idk, also it is not about the frequency you update, it is usually about how long has it been since package is published to the internet
see concept of min release age https://pnpm.io/blog/releases/10.16
i wonder if other package manager have similar thing or not
for corporate services we do every 30 days. which is standard. emergency patches get direct support and resolved quickly.