Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

To: Ben Hutchings <ben@decadent.org.uk>
Cc: debian-lts@lists.debian.org
Subject: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
From: Raphael Hertzog <hertzog@debian.org>
Date: Thu, 1 Dec 2016 16:31:53 +0100
Message-id: <[🔎] 20161201153153.nfphniwgazbptrmh@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Ben Hutchings <ben@decadent.org.uk>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 1480557291.16599.88.camel@decadent.org.uk>
References: <20161128060237.GA26261@miami.connexer.com> <20161128071326.jhvcaoavbkjpht4a@bogon.m.sigxcpu.org> <20161128114407.GB26261@miami.connexer.com> <20161129111410.padrpl3w2lylsdrz@home.ouaza.com> <[🔎] 1480557291.16599.88.camel@decadent.org.uk>

On Thu, 01 Dec 2016, Ben Hutchings wrote:
> Would it make sense to add a Bug header field to patches, e.g.:
>     Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-XXXX-YYYY
> or:
>     Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-XXXX-YYYY
> ?

I don't have any strong opinion on the way you add the CVE number to the
patch description. Using Bug-CVE and/or Bug-Debian-Security looks
perfectly reasonable, yes.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

References:
- Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Versioning of new releases in (old)stable (Was: nss security update package ready for review)
Next by Date: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Previous by thread: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Next by thread: Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
Index(es):
- Date
- Thread