[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)

Guido Günther wrote:

> > or at least amend LTS-policies to always file a bug if one fixes a bug
> > in LTS which is still open in sid.
> I think the later part is already LTS policy since at latest
> Debconf 16. It's up to us to handle things like that.

Let's make this more concrete. Do we have a template? If not, how about:

  To: submit@bugs.debian.org
  Subject: ${SOURCE}: CVE-2016-1234: ${CVE_DESCRIPTION}

  Source: ${SOURCE}
  Version: ${VERSION}
  Severity: serious
  Tags: security
  X-Debbugs-Cc: debian-lts@lists.debian.org


  The following vulnerabilities have been published for ${SOURCE}:


  If you fix the vulnerability please also make sure to include the
  CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

  Please adjust the affected versions in the BTS as needed.

Open questions for me are:

a) What Version we submit with? Wheezy's? Or unstable's, and then follow-up
with "found"?


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk

Reply to: