[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
From: Solar Designer <solar () openwall ! com>
Date: 2013-12-22 10:34:07
Message-ID: 20131222103407.GA11061 () openwall ! com
[Download RAW message or body]
Hi all,
On Sun, Dec 22, 2013 at 01:29:58AM -0800, nick@firedev.com wrote:
> I am trying to upgrade but the suggested error handler doesn't work.
...
Are these followup postings still on topic for oss-security, or should
this possibly be discussed elsewhere and, if necessary and when ready,
summarized for/on oss-security as well (e.g., in the form of a revised
security advisory)? I am not sure, and as a co-moderator I am wondering
if/when we should start rejecting messages in this thread that are CC'ed
to oss-security by non-subscribers. I'd appreciate advice.
This is actually part of a more generic issue: whenever an upstream
project posts a security advisory CC'ed to that project's list(s) and to
oss-security, we often end up getting followup postings by users of the
project's software who are not into security and thus comment on
non-security aspects. This is sometimes fine and maybe even desirable,
but sometimes it gets too far off topic for oss-security, and it's often
difficult for moderators to decide when to start rejecting. A better
approach may be for upstream projects to be sending such announcements
to their lists and to oss-security separately, not by CC'ing.
(I actually asked OpenStack to start doing that a while ago, and I guess
they're doing it that way now.)
Alexander
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic