Tobias Frost <t...@frost.de> writes: > Never had a CVE myself, but I think this is the way to go: > technically you don't need a debian bug, you could just write (random > example here [1])
> maradns (version-1) unstable; urgency=high > * new upstream release > - fixes CVE-xxxx-xxxx, CVE-xxxx-xxxx ... > but I would file one "cover" bugs smth like "Serveral security bugs" and > listing alls CVE's in the bug's text and just add a Closes: # to the new > upstream release line. I think you were also saying this, but just to be very clear: please also include the CVE numbers directly in debian/changelog in the entry for whatever release they were fixed in, not just in the bug text. The security team's tracking of open security vulnerabilities relies on being able to analyze the debian/changelog file to determine when CVEs were closed in the Debian packaging. > For the CVE's already fixed by a older version than 1.4.12, it is > allowed to modify the old changelog entries, when the fix was actually > added. Yup. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877g8sqfdp....@windlord.stanford.edu
