Re: whole pile o' updates
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Lubomir Kundrak wrote:
On Sun, 2008-02-24 at 14:09 -0700, Jake Edge wrote:
If it is 'easy', it would be helpful to update readers to have the CVE references be links to CVE or NVD rather than just link to the redhat bugzilla ...Our decision was not to, because: 1.) Sometimes we get the CVE name after we ship the update, and unlike the update mails, we can easily update bugzilla. 2.) In most cases our bugzilla contains verbatim copy of the CVE text, and in all cases it has links to CVE, NVD and alias that is equal to the CVE name. Our bugzilla even substitutes the CVE names with links to CVE.
Ok, I am looking at today's (or maybe late yesterday's) report for qemu for F7: FEDORA-2008-2001
It doesn't list the CVE number, so I click through to bugzilla, which does list the CVE number (as an Alias), but doesn't link to CVE/NVD (which is just a placeholder at this point anyway, but will presumably be updated soon).
Does the changelog reflect the changes in this release? Which would imply that there are fixes for other, non-security bugs in the release.
It just strikes me as difficult for people receiving the advisories (or reading them on our or other sites) to figure out the *exact* bug being fixed without a CVE reference in the advisory. Maybe the timing is too tight, but that is very unfortunate.
jake -- Jake Edge - LWN - jake@xxxxxxx - http://lwn.net -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
[Home] [Fedora Legacy List] [Fedora Maintainers] [Fedora Desktop] [Red Hat 9 Bible] [Fedora Bible] [Fedora SELinux] [Big List of Linux Books] [Yosemite News] [Yosemite Photos] [KDE Users] [Coolkey] [Fedora Tools]