Date: Thu, 15 Jun 2017 14:37:40 -0700 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: Re: MySQL - use-after-free after mysql_stmt_close() On Thu, Jun 15, 2017 at 11:29:26AM -0600, kseifried@...hat.com wrote: > Well part of it would be the current test case of "does anyone care", > e.g. do people actually use this/care enough to do the work to assign a > CVE, if someone wants to spend their time being the CNA for > stackoverflow and put out good CVEs I'm fine with that. For stackoverflow and other sites in the stack exchange network I think your time would be better spent downvoting answers and adding a comment along the lines of: -1: This answer uses [foo which is insecure](link) and should use [bar which is safe](link) instead to protect against [attack name](link). That way it will be visible in the same spot as the incorrect answer, let the person who answered the question know they made a mistake, let the person who asked the question know there was a mistake, and provide a notice to the future about both what's wrong and what's better. If it gets hidden because there's already too many comments, then get a pal to upvote your comment to make it more likely to be visible by default. Upvote any answers without security problems. If there's no correct answers, then provide a correct answer at the same time for extra credit. Thanks [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ