MZMegaZone
No user record in our sample, but MZMegaZone has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
No user record in our sample, but MZMegaZone has activity below (stories or comments). Likely we have partial data — the full bulk-load will fill profiles in.
We got around 150 submissions for 30ish panel slots over three days, so we're good there. Schedule should be out soon. The CVE program has grown and changed a lot the past few years, and the rules are undergoing a major…
Oh, I'll cash their check. I'll tell them, in professional terms, why they should change their policy, but I'll still cash the check.
License and passport have no first name and MegaZone for a last name. My SSN Card has 'Mr MegaZone' - when I changed it, back in 2000, the SSA said their computers just could not handle a blank first name. They wanted…
Short answer: Badly. Long answer: Most DBs key on lastname, so MegaZone is my last name, officially, and I have no first name. Then I leave the first name blank if it'll let me, but more often I need to put something in…
That's just a braindead policy. Really, really dumb. Not at all good security, just checking boxes.
https://www.nginx.com/blog/quic-http3-support-openssl-nginx/ I know there are other mentions - it's been in the commercial product since R30, hence the CVE.
OK - I need to make very clear that I'm speaking for myself and NOT F5, OK? OK. Ask yourself why this matters? What is the big deal about having a CVE assigned? A CVE is just a unique identifier for a vulnerability so…
Exactly - this very question came up. And pretty much everyone looked at me as I'm the one who sits on every CVE.org working group (BTW, the CVE rules are currently being revised and in comment period for said revision)…
That's a whole different discussion - which isn't as dramatic as it is being made out to be. Other hats I wear (outside of my day job) include being on every (literally, every) CVE.org Working Group and being the newly…
Those were great times. I learned a hell of a lot working at Livingston, because we had to. We were basically a startup selling to ISPs right as the Internet exploded and we grew like crazy. Suddenly we're doing ISDN…
You're all also missing the fact that the vuln is also in the NGINX+ commercial product, not just OSS. Which has a different release model. Being the same code it'd be darn strange to have the CVE for one and not the…
That's actually supported by the CVE program rules. Have at it if you find examples with security vulns.
We know a number of customers/users have the code in production, experimental or not. And that was part of decision process. The security advisories we published do state the feature is experimental. When in doubt, err…
Internally at F5 (where I work as a Principal Security Engineer in the F5 SIRT and was one of the people responsible for making the call on assigning the CVEs).
Yes, those are the two CVEs I was referring to. All I know is he objected to our decision to assign CVEs, was not happy that we did, and the timing does not appear coincidental.
Yeah, I've been with F5 since 2010 - gotta love those old PortMasters though, Livingston was good times, until Lucent took over. I was there 95-98. I don't know what else there is to say really. The QUIC/HTTP/3 vuln was…
No, a MegaZone. Haven't you heard, we come in six packs now. ;-) Yeah, very, very likely one and the same. Since 1989.
I think you'd have to ask Maxim. My take is he felt experimental features should not get CVEs, which isn't how the program works. But that's just my take - I'm the primary representative for F5 to the CVE program and on…
Yep. Maxim did not want CVEs assigned.
We (F5) published two CVEs today against NGINX+ & NGINX OSS. Maxim was against us assigning CVEs to these issues. F5 is a CNA and follows CVE program rules and guidelines, and we will err on the side of security and…