It is not the worst Internet bug in the past 10 years.
It's among the most widespread Internet bugs, but:
* An identical bug impacted nginx a few years ago
* A far worse bug impacted Debian (when they commented out the randomness in their CSPRNG), which coughed up code execution on tens of thousands of machines; lots of companies that didn't officially deploy on Debian still had a Debian box somewhere vulnerable
* The Rails YAML bug was perniciously exposed in lots of places for months after the initial disclosure, and also coughed up code execution
Losing authenticators for "live" users and TLS private keys is bad, but it's not the kind of bad where you invariably need to nuke your servers from orbit and rebuild. Other widespread bugs were actually like that.
This bug is on 70% of systems and ANYONE can run a python script and pull out plaintext Paypal or bank passwords. It is the worst Internet bug perhaps ever.
I don't know a single vulnerability researcher who agrees with that statement. But you also didn't marshal any evidence; you restated the first thing I said about the bug, and then effectively said "no, you're wrong".
It's among the most widespread Internet bugs, but:
* An identical bug impacted nginx a few years ago
* A far worse bug impacted Debian (when they commented out the randomness in their CSPRNG), which coughed up code execution on tens of thousands of machines; lots of companies that didn't officially deploy on Debian still had a Debian box somewhere vulnerable
* The Rails YAML bug was perniciously exposed in lots of places for months after the initial disclosure, and also coughed up code execution
Losing authenticators for "live" users and TLS private keys is bad, but it's not the kind of bad where you invariably need to nuke your servers from orbit and rebuild. Other widespread bugs were actually like that.