Hello Jakub,
On Tuesday 16 September 2014 23:50:56 Jakub Wilk wrote:
> Version: 2.3.0-1
>
> It looks like the bug was fixed upstream in 2.3.0:
Thanks for taking care of closing this. I received the notification from
github, but I will work on requests (I plan to update to 2.4.1) on the
weekend.
To acknowledge the fix of this security bug, I should put something in the
changelog anyway, right?
Something like this:
* Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
(Closes: #733108)
Developer reference[¹] says: "When closing security bugs include CVE numbers
as well as the Closes: #nnnnn. This is useful for the security team to track
vulnerabilities. If an upload is made to fix the bug before the advisory ID is
known, it is encouraged to modify the historical changelog entry with the next
upload."
So using "Closes: #733108" although the bug is arleady closed seems ok to me,
is that right?
Many thanks!
Kind regards,
[¹] https://www.debian.org/doc/manuals/developers-reference/pkgs.html#newpackage
--
Daniele Tricoli 'Eriol'
http://mornie.org
_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
