[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)

On Fri, Oct 21, 2016 at 11:14:24AM +0100, Chris Lamb wrote:
> Guido Günther wrote:
> 
> > > or at least amend LTS-policies to always file a bug if one fixes a bug
> > > in LTS which is still open in sid.
> > 
> > I think the later part is already LTS policy since at latest
> > Debconf 16. It's up to us to handle things like that.
> 
> Let's make this more concrete. Do we have a template? If not, how about:
> 
> 
>   To: submit@bugs.debian.org
>   Subject: ${SOURCE}: CVE-2016-1234: ${CVE_DESCRIPTION}
> 
>   Source: ${SOURCE}
>   Version: ${VERSION}
>   Severity: serious
>   Tags: security
>   X-Debbugs-Cc: debian-lts@lists.debian.org
> 
>   Hi,
> 
>   The following vulnerabilities have been published for ${SOURCE}:
> 
>   https://security-tracker.debian.org/tracker/CVE-2016-1234
>   ${CVE_DESCRIPTION}
> 
>   If you fix the vulnerability please also make sure to include the
>   CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
>   Please adjust the affected versions in the BTS as needed.

I'd just use bin/report-vuln ?

> Open questions for me are:
> 
> a) What Version we submit with? Wheezy's? Or unstable's, and then follow-up
> with "found"?

I'd say unstable and then "found".
Cheers,
 -- Guido
Reply to: