[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Collecting changelog entries in projectb

On Fri, 26 Feb 2010 at 11:21:08 +0000, Philipp Kern wrote:
> Post-upload corrections?

I assume Charles refers to this practice: imagine I maintained hello, and
uploaded upstream release 6.6 without initially realising that it contained
a security fix:

    hello (6.6-1) unstable; urgency=low

     * New upstream release.

     -- Simon McVittie <smcv@debian.org>  Tue, April 1, 2038 09:00:00 +0000

Then in a later upload, I'd want to correct that:

    hello (6.6-2) unstable; urgency=medium

     * Add patch from upstream to fix build on knetbsd-mipsel and
       knetbsd-toaster (Closes: #666666)
     * Retroactively note CVE number for 6.6-1

     -- Simon McVittie <smcv@debian.org>  Wed, April 2, 2038 09:00:00 +0000

    hello (6.6-1) unstable; urgency=low

     * New upstream release.
       - Fixes a buffer overflow in excessively long greetings (CVE-2038-001)

     -- Simon McVittie <smcv@debian.org>  Tue, April 1, 2038 09:00:00 +0000

(I conjecture that by 2038, Debian will run on toasters, GNU hello will
be security-sensitive, and we'll still be fixing buffer overflows...)

    S
Reply to: