Guido Günther wrote:
> > or at least amend LTS-policies to always file a bug if one fixes a bug
> > in LTS which is still open in sid.
>
> I think the later part is already LTS policy since at latest
> Debconf 16. It's up to us to handle things like that.
Let's make this more concrete. Do we have a template? If not, how about:
To: sub...@bugs.debian.org
Subject: ${SOURCE}: CVE-2016-1234: ${CVE_DESCRIPTION}
Source: ${SOURCE}
Version: ${VERSION}
Severity: serious
Tags: security
X-Debbugs-Cc: debian-lts@lists.debian.org
Hi,
The following vulnerabilities have been published for ${SOURCE}:
https://security-tracker.debian.org/tracker/CVE-2016-1234
${CVE_DESCRIPTION}
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Please adjust the affected versions in the BTS as needed.
Open questions for me are:
a) What Version we submit with? Wheezy's? Or unstable's, and then follow-up
with "found"?
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
