Hi Mark, > On Wed, Dec 07, 2016 at 12:31:43PM +0100, Salvatore Bonaccorso wrote: > > On Wed, Dec 07, 2016 at 10:24:05AM +0000, Debian Bug Tracking System wrote: > > > * Apply upstream fix for CVE-2016-9841 (closes: #847270). > > > It looks that there was some confusion about the CVE used? I see the > > patch applied in this upload is the change for CVE-2016-9840, not the > > one for CVE-2016-9841? > > That's because you filed three different bug reports about CVEs all with > just boilerplate and no directly readable content about them, mainly a > series of links. Two of these linked to one CVE but this one linked to > two. Please be consistent when filing bug reports like this - either > file one report per CVE or file everything in a single report but don't > mix the two models.
Thanks for your feedback and in particular fixing the issues quickly. Will do next time probably four reports. But: It was not just boilerplate. If you look at all three reports I collected the upstream commits relative to the CVE, and as well linked to the security-tracker which leads you to the CVE assignments and more information inclduing cross-reference to other distributions (mainly SuSE has up to date bugreports at the time of this writing). Futhermore there were three bugreports, divided in the classes of vulnerabilities. What though surely can be criticized, and where you are difintively right that both #847274 and #847275 should have included the CVE description ("No description was found (try on a search engine)" is defintively not bureporting friendly!). So a better report might have looked to say: CVE-2016-9840 + CVE-2016-9841: out-of-bounds pointer CVE-2016-9842: Undefined left shift of negative number CVE-2016-9843: Big-endian out-of-bounds pointer The above is the reason I decided to do three reports this time instead on four for every individual CVE, as the common affected base version was for both CVE-2016-9840 and CVE-2016-9841 1:1.2.8.dfsg-2. Hope this clarifies and thanks, Regards, Salvatore