Hi Brian, Putting the Security team in the loop.
On Wed, Jun 29, 2016 at 08:56:40AM +0200, Salvatore Bonaccorso wrote: > Hi Brian, > > On Wed, Jun 29, 2016 at 08:35:26AM +1000, Brian May wrote: > > Salvatore Bonaccorso <car...@debian.org> writes: > > > > > Can you point me to the errors you found? Since I added I think most > > > of those entries I would like to correct them if I wrongly commited. > > > > Sure. Hope I haven't made too many mistakes myself :-) > > Thanks, I will go double-check those today again. So I went trough the list again, and unfortunately I now know from were the errors came. The CVEs popped up on the external check, Red Hat had already triaged/filled the entries. When you look up the CVEs in Red Hat's bugzilla (from the other sources link) and compare with the upstream security advisories they indeed match, and the upstream advisories reference the "wrong" commits. Take as an example https://www.pidgin.im/news/security/?id=104 This is for CVE-2016-2371 / TALOS-CAN-0139. But references 7b52ca213832 which then is wrong. Not good :-(. But this shows, 1/ upstream advisories can contain mistakes as well; 2/ double-review by somebody else additionally to the one checking/triaging some initial information for CVEs is needed as well. 3/ any automatic commit from external source should be taken with care :-) Brian, thanks for your work! Regards, Salvatore
