On wto, lut 18, 2014 at 01:29:06 -0800, Russ Allbery wrote: > Tobias Frost <t...@frost.de> writes: > > > Never had a CVE myself, but I think this is the way to go: > > technically you don't need a debian bug, you could just write (random > > example here [1]) > > > maradns (version-1) unstable; urgency=high > > > * new upstream release > > - fixes CVE-xxxx-xxxx, CVE-xxxx-xxxx ... > > > but I would file one "cover" bugs smth like "Serveral security bugs" and > > listing alls CVE's in the bug's text and just add a Closes: # to the new > > upstream release line. > > I think you were also saying this, but just to be very clear: please also > include the CVE numbers directly in debian/changelog in the entry for > whatever release they were fixed in, not just in the bug text. The > security team's tracking of open security vulnerabilities relies on being > able to analyze the debian/changelog file to determine when CVEs were > closed in the Debian packaging. Do I need to take experimental under consideration, i.e. modify changelog for experimental releases ? > > > For the CVE's already fixed by a older version than 1.4.12, it is > > allowed to modify the old changelog entries, when the fix was actually > > added. > > Yup.
I am currently working on a package, testing it etc. I will upload to mentors for a review tomorrow. -- Pozdrawiam, Dariusz Dwornikowski, Assistant Institute of Computing Science, PoznaĆ University of Technology www.cs.put.poznan.pl/ddwornikowski/ room 2.7.2 BTiCW | tel. +48 61 665 29 41 -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140218215249.ga32...@blackstar.cs.put.poznan.pl
