Bruce Momjian wrote:
If someone wants to create a separate web page to track fixes related to
CVE number, that is fine. My guess is that most people reading the
release notes don't care about the CVE numbers themselves (just that
each release has all known security bugs fixed), and most bugs that are
fixed don't have CVE numbers at commit time.
I think its quite reasonable for the one line description of a postgres
bug to reference "CVE-2005-0247 multiple buffer overflows..." or
whatever, I guess it kind of depends on which came first... if the CVE
security item came first, and was entered into the PGSQL bug tracker,
then this makes a LOT of sense. if the CVE folks create their entry
AFTER the bug has been entered into PGSQL, it makes less sense.
---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly
