Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jun 2017 08:20:40 +1000
From: Brian May <brian@...uxpenguins.xyz>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Re: MySQL - use-after-free after mysql_stmt_close()

Kurt Seifried <kseifried@...hat.com> writes:

> Should we assign CVEs for code examples/documentation? E.g. We assign CVEs
> for code shipped to people in digital form. Why not assign CVEs for code in
> documentation or commonly used examples? We can go with the rational that
> CVEs get assigned to the affected code bases (e.g. when someone implements
> that documentation/code), but it might also be good to educate the
> community about bad examples/documentation/etc.

For a prior example, in this case of documentation suggesting insecure
configuration, see:

http://www.openwall.com/lists/oss-security/2015/03/28/7

I note that the documentation still has the bad example listed, with no
indication that this is bad.

http://www.openldap.org/doc/admin24/guide.html#Access Control Examples
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ