CVE writers make me cry sometimes. The original advisory is incredibly light on details, like, what software actually has the bug. The CVEs themselves also fail to adequately describe what is vulnerable. E.g., CVE-2019-9516 “0-Length Headers Leak”, the CVE implicates "Ubuntu". Ubuntu (probably) can't be vulnerable to this CVE, some piece of software on Ubuntu must be; and indeed clicking through to the USN shows that it's nginx. But then, why only single out Ubuntu, Debian and Fedora? Surely the others are equally vulnerable?

It was the same way w/ the recent VLC vuln. where the researcher just kinda dumped an ASan output into a bug tracker and "I has a working exploit" and no additional details.

They might just want to get it out the door asap, so that mitigation efforts could start sooner.

Off topic: is it common to hot-link images away from your own site to (in this case) imgur.com ?

On a corporate network it means I can read the post, but not see the blocked images.

Is it just for the author to save bandwidth on - what appears to be - a wordpress site?

I've seen it done, but you're not supposed to.

From Imagurs TOS[1]: "...Also, don't use Imgur to host image libraries you link to from elsewhere, content for your website, advertising, avatars, or anything else that turns us into your content delivery network."

[1] https://imgur.com/tos

Good point, along with the blocking on many corporate networks. Fixed!