Re: CAN to CVE: changing changelogs?

To: debian-security@lists.debian.org
Subject: Re: CAN to CVE: changing changelogs?
From: Thomas Bushnell BSG <tb@becket.net>
Date: Fri, 28 Oct 2005 23:35:13 -0700
Message-id: <[🔎] 87zmossue6.fsf@becket.becket.net>
In-reply-to: <[🔎] 20051027220122.GB28521@kitenet.net> (Joey Hess's message of "Thu, 27 Oct 2005 18:01:22 -0400")
References: <[🔎] 1130319135.4117.12.camel@darwin.os9.nl> <[🔎] 20051027040301.GA1442@verge.net.au> <[🔎] 20051027114715.GA31904@khazad-dum.debian.net> <[🔎] 20051027144214.GB4599@verge.net.au> <[🔎] 20051027145736.GA9591@khazad-dum.debian.net> <[🔎] 871x26dduo.fsf@becket.becket.net> <[🔎] 20051027192127.GA9202@khazad-dum.debian.net> <[🔎] 20051027200729.GC26938@kitenet.net> <[🔎] 20051027202639.GB9202@khazad-dum.debian.net> <[🔎] 20051027213137.GA9416@khazad-dum.debian.net> <[🔎] 20051027220122.GB28521@kitenet.net>

Joey Hess <joeyh@debian.org> writes:

> One thing that this bug illustrates pretty well that is quite annoying
> when trying to determine what version of a package actually fixed a
> security hole, is new upstream releases that are listed in the changelog
> as fixing a particular CVE, when the hole was actually fixed in a
> previous debian revision of the old upstream version. That's a case
> where clarity is very useful in the changelog. (So is proper use of the
> new version tracking features of the BTS.)

Seems to me that the right thing to do is:

close the bug with the right version using -done;
add a *new* changelog entry (not altering the old one), saying "bug
such-and-such was fixed in such-and-such old version."

Reply to:

Follow-Ups:
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- CAN to CVE: changing changelogs?
  - From: Thijs Kinkhorst <kink@squirrelmail.org>
- Re: CAN to CVE: changing changelogs?
  - From: Horms <horms@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Horms <horms@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Joey Hess <joeyh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: CAN to CVE: changing changelogs?
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: CAN to CVE: changing changelogs?
Next by Date: Re: What's going on with advisory for phpmyadmin?
Previous by thread: Re: CAN to CVE: changing changelogs?
Next by thread: Re: CAN to CVE: changing changelogs?
Index(es):
- Date
- Thread