On 02/17/20 06:49, tim.le...@insyde.com wrote: > Liming -- > > Thanks for the pointer. > > The reason I ask is that many users of open source projects such as EDKII > scan the releases for CVE numbers in order to make sure that critical > components get updated. This is due to the fact that CVEs often need to be > reported to downstream users. The Bugzilla list is a little hidden, since > these CVE fixes are not called out directly in the wiki page. It would be > much easier if the BZ items that are related to security fixes are promoted > directly to the wiki page, not just available through a BZ query.
* Any commit that fixes a CVE is supposed to carry the CVE ID in its subject, in the git history. So if you do $ git log --oneline --reverse edk2-stable201911..master | grep CVE that should give you the list. Right now, it gives me: - CVE-2019-14563 - CVE-2019-14586 - CVE-2019-14558 * For CVE patches pending review, the mailing list can be searched similarly. (E.g. "posted after a certain date, plus has both "CVE" and "PATCH" in subject.) The pending fixes seem to be for: - CVE-2019-14575 - CVE-2019-14587 - CVE-2019-14559 (Your question is precisely why I've always asked for CVE IDs in patch subjects.) Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#54539): https://edk2.groups.io/g/devel/message/54539 Mute This Topic: https://groups.io/mt/71278459/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
