You can safely trust me on this. Also, if you're concerned, the patch is very straightforward, minimal, safe, and fairly unintrusive. It's not going to break anything.
Don't you think there should be a term for the phenomenon where someone makes it more or less clear that they have said all they're going to say about something on a message board, and still people come out of the woodwork to write comments cajoling them into saying more?
I'm not complaining. It doesn't happen to me that often. Way more often, it's someone complaining about some anonymous employer or service provider and 20 people writing comments about how it's irresponsible for them not to say who it was. But it's the same kind of annoying every time.
Maybe the term ought to be in German. German works great for concepts like this.
Why did I leave the comment? Because it's hard to patch server software and people will often wait on patches until maintenance windows (advise you not do that this time) or take some time to figure out if they're affected. Especially with Apache, where oftentimes you aren't affected because the bug is in some random module most people don't use.
> Don't you think there should be a term for the phenomenon where someone makes it more or less clear that they have said all they're going to say about something on a message board, and still people come out of the woodwork to write comments cajoling them into saying more?
Don't take this the wrong way, but I think it was the tone of the response.
I.e.
"What are the implications of this?"
"It's a bad bug, patch it ASAP"
"....."
It's the kind of non-response one would expect from a management type to a low level engineer. Somewhat odious to the average hacker, in other words.
(I could be COMPLETELY off the mark here, and if so, please disregard this entire message)
Given how much Thomas contributes to this community, it seems fair to give him the benefit of the doubt and assume he has good reasons to say no more than what he has said. Also, this comment alone probably counts for thousands of
dollars worth of value to people running business on nginx. Thanks Thomas.
As to the average hacker, yes we want to know everything, but there are valid reasons not to be told everything. In this case, the information given is useful and sufficient, and the implications of what he said and how he said it are very clear indeed.
I think everyone has given him the benefit of the doubt, but this particular thread could have been much shorter if tptacek had just explicitly stated, "It's important and I won't help attackers by elaborating on the details." If that's not made clear then it's only natural for someone to ask for the specifics.
What if you had written that as the response to the second question. "I understand you are curious, but that is all I will say about it," would have made it clearer and been far less pompous than "no really, trust me."
The severity of the problem was pretty clearly and concisely conveyed: "This is a very bad bug, and you should fix it ASAP. Don't wait."
As for how many people it practically affects, that could well hurt. Saying anything more than "Applications are broadly vulnerable to this problem." like he did elsewhere in this thread could very well point out specific, detectable vulnerable instances. That's a bad thing. Just wait and more info will be out, but heed his advice!
RPMs for 1.0.14 are available in koji at those second two links, or you can grab it via "yum --enablerepo=updates-testing update nginx" once the mirrors all pick it up.
Just patch it.