Hi Mark,
> On Wed, Dec 07, 2016 at 12:31:43PM +0100, Salvatore Bonaccorso wrote:
> > On Wed, Dec 07, 2016 at 10:24:05AM +0000, Debian Bug Tracking System wrote:
> > > * Apply upstream fix for CVE-2016-9841 (closes: #847270).
>
> > It looks that there was some confusion about the CVE used? I see the
> > patch applied in this upload is the change for CVE-2016-9840, not the
> > one for CVE-2016-9841?
>
> That's because you filed three different bug reports about CVEs all with
> just boilerplate and no directly readable content about them, mainly a
> series of links. Two of these linked to one CVE but this one linked to
> two. Please be consistent when filing bug reports like this - either
> file one report per CVE or file everything in a single report but don't
> mix the two models.
Thanks for your feedback and in particular fixing the issues quickly.
Will do next time probably four reports. But: It was not just
boilerplate. If you look at all three reports I collected the upstream
commits relative to the CVE, and as well linked to the
security-tracker which leads you to the CVE assignments and more
information inclduing cross-reference to other distributions (mainly
SuSE has up to date bugreports at the time of this writing).
Futhermore there were three bugreports, divided in the classes of
vulnerabilities.
What though surely can be criticized, and where you are difintively
right that both #847274 and #847275 should have included the CVE
description ("No description was found (try on a search engine)" is
defintively not bureporting friendly!). So a better report might have
looked to say:
CVE-2016-9840 + CVE-2016-9841: out-of-bounds pointer
CVE-2016-9842: Undefined left shift of negative number
CVE-2016-9843: Big-endian out-of-bounds pointer
The above is the reason I decided to do three reports this time
instead on four for every individual CVE, as the common affected
base version was for both CVE-2016-9840 and CVE-2016-9841
1:1.2.8.dfsg-2.
Hope this clarifies and thanks,
Regards,
Salvatore
