2019-03-20 12:08 GMT+01:00, Dominik 'Rathann' Mierzejewski <domi...@greysector.net>: > On Wednesday, 20 March 2019 at 00:48, Carl Eugen Hoyos wrote: >> 2019-03-19 23:28 GMT+01:00, Dominik 'Rathann' Mierzejewski >> <domi...@greysector.net>: >> >> > Were the CVE IDs not known at the time these were pushed to master? >> >> No, how would this be possible? > > Easy: you can request the ID at https://cveform.mitre.org/ before > pushing the commits.
(Assuming "you" are FFmpeg developers) I don't remember an FFmpeg developer requesting a CVE id. Given the number of issues related to dos or undefined behaviour that are fixed each week, this would probably be a major task. >> > Not having them in the commit log made it more difficult to find them. >> >> I thought the CVE's themselves contains the commits, no? > > They do, but looking at the commits only I wouldn't know there > were CVE IDs associated with them, so the relation is one-way > only. I would feel better if the commit log said a CVE ID was > being fixed. Unfortunately, this is not possible with the available man-power. Carl Eugen _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel