Re: pidgin
Hi Brian,
Putting the Security team in the loop.
On Wed, Jun 29, 2016 at 08:56:40AM +0200, Salvatore Bonaccorso wrote:
> Hi Brian,
>
> On Wed, Jun 29, 2016 at 08:35:26AM +1000, Brian May wrote:
> > Salvatore Bonaccorso <carnil@debian.org> writes:
> >
> > > Can you point me to the errors you found? Since I added I think most
> > > of those entries I would like to correct them if I wrongly commited.
> >
> > Sure. Hope I haven't made too many mistakes myself :-)
>
> Thanks, I will go double-check those today again.
So I went trough the list again, and unfortunately I now know from
were the errors came. The CVEs popped up on the external check, Red
Hat had already triaged/filled the entries.
When you look up the CVEs in Red Hat's bugzilla (from the other
sources link) and compare with the upstream security advisories they
indeed match, and the upstream advisories reference the "wrong"
commits.
Take as an example
https://www.pidgin.im/news/security/?id=104
This is for CVE-2016-2371 / TALOS-CAN-0139. But references
7b52ca213832 which then is wrong.
Not good :-(. But this shows, 1/ upstream advisories can contain
mistakes as well; 2/ double-review by somebody else additionally to
the one checking/triaging some initial information for CVEs is needed
as well. 3/ any automatic commit from external source should be taken
with care :-)
Brian, thanks for your work!
Regards,
Salvatore
Reply to:
- References:
- pidgin
- From: Brian May <brian@linuxpenguins.xyz>
- Re: pidgin
- From: Salvatore Bonaccorso <carnil@debian.org>
- Re: pidgin
- From: Brian May <bam@debian.org>
- Re: pidgin
- From: Salvatore Bonaccorso <carnil@debian.org>