On 2017-08-18 8:01, Mattias Ellert wrote:
tor 2017-08-17 klockan 21:59 +0100 skrev Adam D. Barratt:On Thu, 2017-08-17 at 20:22 +0200, Martin Zobel-Helas wrote: > Hi, > > On Thu Aug 17, 2017 at 16:38:36 +0200, Mattias Ellert wrote: [...] > > +gsoap (2.8.35-4+deb9u1) stretch; urgency=medium > > + > > + * Fix for CVE-2017-9765 (Closes: xxxx)
[...]
Is there actually a Debian bug for the issue? I couldn't find one.
[...]
I don't understand the last comment here.
Apparently not.
Of course there is a bug - it is this one. The reason the debdiff in the request says "Closes: xxxx", is a chicken-and-egg problem. You are supposed to attach the debdiff to the request, but before you make the request its BTS number does not yet exists - so you can't include it in the attachment at creation time. After I got the confirmation back with the number I updated the changelog with the bug number.
*NO*. There is no chicken and egg problem here at all.The bug number you would close in the changelog relates to a bug filed _against gsoap_, the same as it would for any other upload. You should never be closing bugs filed against release.debian.org in an upload of your package. You're fixing a bug in your package, the release.d.o bug is a means of tracking that, not a thing fixed in the upload.
If there is no bug filed against gsoap that relates to the issue, then there should be no bug closed in the changelog.
Regards, Adam