Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jun 2017 08:20:40 +1000
From: Brian May <brian@...uxpenguins.xyz>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Re: MySQL - use-after-free after mysql_stmt_close()

Kurt Seifried <kseifried@...hat.com> writes:

> Should we assign CVEs for code examples/documentation? E.g. We assign CVEs
> for code shipped to people in digital form. Why not assign CVEs for code in
> documentation or commonly used examples? We can go with the rational that
> CVEs get assigned to the affected code bases (e.g. when someone implements
> that documentation/code), but it might also be good to educate the
> community about bad examples/documentation/etc.

For a prior example, in this case of documentation suggesting insecure
configuration, see:

http://www.openwall.com/lists/oss-security/2015/03/28/7

I note that the documentation still has the bad example listed, with no
indication that this is bad.

http://www.openldap.org/doc/admin24/guide.html#Access Control Examples
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.