Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Jun 2017 14:37:40 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: MySQL - use-after-free after
 mysql_stmt_close()

On Thu, Jun 15, 2017 at 11:29:26AM -0600, kseifried@...hat.com wrote:
> Well part of it would be the current test case of "does anyone care",
> e.g. do people actually use this/care enough to do the work to assign a
> CVE, if someone wants to spend their time being the CNA for
> stackoverflow and put out good CVEs I'm fine with that.

For stackoverflow and other sites in the stack exchange network I think
your time would be better spent downvoting answers and adding a comment
along the lines of:

    -1: This answer uses [foo which is insecure](link) and should use
    [bar which is safe](link) instead to protect against [attack
    name](link).

That way it will be visible in the same spot as the incorrect answer,
let the person who answered the question know they made a mistake, let the
person who asked the question know there was a mistake, and provide a
notice to the future about both what's wrong and what's better.

If it gets hidden because there's already too many comments, then get a
pal to upvote your comment to make it more likely to be visible by
default.

Upvote any answers without security problems. If there's no correct
answers, then provide a correct answer at the same time for extra credit.

Thanks

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ