On 22 Dec 2015, at 7:02am, Saurav Sarkar <saurav.sarkar1 at gmail.com> wrote:
> But the queries will be always parametrized ones. Exploits 1 and 2 are controlled by things which can't be parameterised. I'm not 100% sure about the format string of a printf, but I can't think of a way to parameterise it. So you would seem to be safe from those exploits. I expect Richard to soon announce that the underlying problems have been fixed, anyway. Simon.
