Update RUSTSEC-0000-0000.md

Author: mmastrac

crates/openssl-probe/RUSTSEC-0000-0000.md

@@ -33,7 +33,21 @@ added, or a variable's contents being enlarged.
 This is shown to occur on Linux, but it will also likely occur on any other platform where `getenv`
 and `setenv` are not thread-safe, though trigger conditions may vary widely.
 
+## Affected Code
+
 The affected function is `try_init_ssl_cert_env_vars` in 
-<https://github.com/alexcrichton/openssl-probe/blob/db67c9e5b333b1b4164467b17f5d99207fad004c/src/lib.rs#L65>.
+<https://github.com/alexcrichton/openssl-probe/blob/db67c9e5b333b1b4164467b17f5d99207fad004c/src/lib.rs#L65>, and
+any other library's function which may call this function directly or indirectly
+<https://github.com/search?q=try_init_ssl_cert_env_vars&type=code>.  `native_tls <= 0.2.12` may
+do so in certain configurations <https://github.com/sfackler/rust-native-tls/blob/2424bc5efd1b8b4bcf60dbda93259a3f29db7f06/Cargo.toml>.
 
 The crate's author released a fix in versions `>=0.1.6` which marks these functions as `unsafe` and `#[deprecated]`.
+
+## Alternative Mitigations
+
+In the case of glibc users, some thread-safety improvements may protect you from `setenv`/`getenv` clashes
+which were introduced in <https://github.com/bminor/glibc/commit/7a61e7f557a97ab597d6fca5e2d1f13f65685c61>,
+however direct `environ` access in multithreaded programs will still risk dangling pointer access.
+
+Users of other `libc` implementations should consult their sourcecode listings for thread-safety guarantees
+around multithreaded environment read/write access, though readers should be prepared to be disappointed.