+1

Based on initial information here:

FinalBlocker -1

This seems to be a server-side DoS issue. Our criterion says "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation)." The key part there is "cannot be satisfactorily resolved by a package update (e.g. issues during installation)" - I don't see how this issue meets that requirement, yet. You would not typically run an HTTP/2 server as part of installation or when running any kind of 'live' environment.

FinalBlocker -1

It goes against everything I know as a security professional, but I don’t think this is a release blocker. I’d be extremely surprised if someone is running an internet-facing web server from a live USB. That being said, I would support an FE for this.

FinalBlocker -1

Don't see why this can't be addressed with a post release update.

FinalBlocker -1

For the general services having it available as a zero day IMO is fine but Workstation uses httpd as part of gnome-user-share so that would be running on a live image so I believe having that explicit update (RHBZ 2243247) as a blocker would be useful.

So I would do FinalBlocker (httpd) +1 and -1 for all of the fixes overall.

Turns out httpd isn't affected. (Although it's still not super clear exactly what else is).

FinalBlocker -1

AGREED RejectedFinalBlocker

The following votes have been closed:

• Rejected FinalBlocker (+0, 0, -5)
  • -1 by adamwill, thebeanogamer, geraldosimiao, drago01, kevin

Release F39 is no longer tracked by BlockerBugs, closing this ticket.