Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Jun 2017 14:37:40 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: MySQL - use-after-free after
 mysql_stmt_close()

On Thu, Jun 15, 2017 at 11:29:26AM -0600, kseifried@...hat.com wrote:
> Well part of it would be the current test case of "does anyone care",
> e.g. do people actually use this/care enough to do the work to assign a
> CVE, if someone wants to spend their time being the CNA for
> stackoverflow and put out good CVEs I'm fine with that.

For stackoverflow and other sites in the stack exchange network I think
your time would be better spent downvoting answers and adding a comment
along the lines of:

    -1: This answer uses [foo which is insecure](link) and should use
    [bar which is safe](link) instead to protect against [attack
    name](link).

That way it will be visible in the same spot as the incorrect answer,
let the person who answered the question know they made a mistake, let the
person who asked the question know there was a mistake, and provide a
notice to the future about both what's wrong and what's better.

If it gets hidden because there's already too many comments, then get a
pal to upvote your comment to make it more likely to be visible by
default.

Upvote any answers without security problems. If there's no correct
answers, then provide a correct answer at the same time for extra credit.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.