https://github.com/google/brotli#security-note
Version 1.0.9 contains a fix to "integer overflow" problem.
IIS.Compression is currently using 1.0.7 (like a lot of other vulnerable projects).
Integer overflow should be an emergency critical update.
Someone should probably do a PSA, because it looks like an endemic problem. Many projects appear to be copying the same 1.0.7 patches even though it has a known integer overflow, and who knows if someone will pull off a 0-day hat trick and release a worm.
https://github.com/google/brotli#security-note
IIS.Compression is currently using 1.0.7 (like a lot of other vulnerable projects).
Integer overflow should be an emergency critical update.
Someone should probably do a PSA, because it looks like an endemic problem. Many projects appear to be copying the same 1.0.7 patches even though it has a known integer overflow, and who knows if someone will pull off a 0-day hat trick and release a worm.