[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#376961: developers-reference: Include CVE numbers in changelog as best practice

On Wed, Jul 05, 2006 at 07:06:48PM -0300, Damián Viano wrote:
> Package: developers-reference
> Severity: wishlist
> Tags: patch
> Today I searched about including CVE numbers[1] in old entries on the
> changelog in the dev-ref and didn't found it, so after asking in #d-d,
> here is a patch. Feel free to rephrase since I'm not native english
> speaker.
>         Hope to help,

Content-Description: Add entry to Best practices for debian/changelog about security fixes
> --- developers-reference.sgml	2006-07-04 19:33:41.000000000 -0300
> +++ developers-reference.sgml.des	2006-07-04 19:45:07.000000000 -0300
> @@ -3926,6 +3926,8 @@
>  When referring to bugs, don't assume anything.  Say what the problem
>  was, how it was fixed, and append the "closes: #nnnnn" string.  See
>  <ref id="upload-bugfix"> for more information.
> +          <p>
> +When closing security bugs include CVE/DSA numbers as well as the "closes: #nnnnn" when apropiate, this is usefull for the security team to track vulnerabilities. If the advisory is released after the upload you may add the identifiers to the changelog on the entry that fixed the advisory in your next upload.

Second sentence:
If an upload is made to fix the bug before the advisory ID is known,
it is allowed (and encouraged) to modify the historical changelog
entry for the next upload, to make it clear that the patch is

Reply to: