On Sun, Jun 26, 2005 at 05:22:27PM +0200, Filippo Giunchedi wrote: > [sorry for crossposting, but this is relevant to both ML, please cc] > > Hi, > while searching bugtraq for not-yet-fixed security bugs, I found out that there > is no reliable way (apart from testing yourself) if a package has been patched > for a specific security advisory. Yes there is, for stable, through the cross-references published at the web site: www.debian.org/security/crossreferences. > It would be fine to include as best practice for maintainers fixing security > bugs to include something (Fixes: <CAN-ID-or-something>) in the changelog so it > is easy to track such changes. The security team has been asking maintainers to do so when uploading to sid for quite some time. And that info is used by the testing security team to keep track of CVEs not fixed in testing but fixed in sid. Regards Javier
Attachment:
signature.asc
Description: Digital signature