On Fri, Oct 21, 2016 at 11:14:24AM +0100, Chris Lamb wrote:
> Guido Günther wrote:
>
> > > or at least amend LTS-policies to always file a bug if one fixes a bug
> > > in LTS which is still open in sid.
> >
> > I think the later part is already LTS policy since at latest
> > Debconf 16. It's up to us to handle things like that.
>
> Let's make this more concrete. Do we have a template? If not, how about:
>
>
> To: submit@bugs.debian.org
> Subject: ${SOURCE}: CVE-2016-1234: ${CVE_DESCRIPTION}
>
> Source: ${SOURCE}
> Version: ${VERSION}
> Severity: serious
> Tags: security
> X-Debbugs-Cc: debian-lts@lists.debian.org
>
> Hi,
>
> The following vulnerabilities have been published for ${SOURCE}:
>
> https://security-tracker.debian.org/tracker/CVE-2016- 1234
> ${CVE_DESCRIPTION}
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> Please adjust the affected versions in the BTS as needed.
I'd just use bin/report-vuln ?
> Open questions for me are:
>
> a) What Version we submit with? Wheezy's? Or unstable's, and then follow-up
> with "found"?
I'd say unstable and then "found".
Cheers,
-- Guido