A closer look at recent HTTP/2 vulnerabilities affecting Kubernetes and others

CVE writers make me cry sometimes. The original advisory is incredibly light on details, like, what software actually has the bug. The CVEs themselves also fail to adequately describe <i>what</i> is vulnerable. E.g., CVE-2019-9516 “0-Length Headers Leak”, the CVE implicates &quot;Ubuntu&quot;. Ubuntu (probably) can&#x27;t be vulnerable to this CVE, some piece of software <i>on</i> Ubuntu must be; and indeed clicking through to the USN shows that it&#x27;s nginx. But then, why only single out Ubuntu, Debian and Fedora? Surely the others are equally vulnerable?<p>It was the same way w&#x2F; the recent VLC vuln. where the researcher just kinda dumped an ASan output into a bug tracker and &quot;I has a working exploit&quot; and <i>no additional details</i>.

Off topic: is it common to hot-link images away from your own site to (in this case) imgur.com ?<p>On a corporate network it means I can read the post, but not see the blocked images.<p>Is it just for the author to save bandwidth on - what appears to be - a wordpress site?