Bruce Momjian wrote:
If someone wants to create a separate web page to track fixes related to CVE number, that is fine. My guess is that most people reading the release notes don't care about the CVE numbers themselves (just that each release has all known security bugs fixed), and most bugs that are fixed don't have CVE numbers at commit time.
I think its quite reasonable for the one line description of a postgres bug to reference "CVE-2005-0247 multiple buffer overflows..." or whatever, I guess it kind of depends on which came first... if the CVE security item came first, and was entered into the PGSQL bug tracker, then this makes a LOT of sense. if the CVE folks create their entry AFTER the bug has been entered into PGSQL, it makes less sense.
---------------------------(end of broadcast)--------------------------- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly