Re: proposal: track CAN ids in changelogs

1 msg	Abwesenheitsnachricht
2 msg	Away from my mail
3 msg	Can (non-embargoed) uploads be downloaded from ...
3 msg	net unavailable
5 msg	Question about Debian security policy
1 msg	Want some fun? Find a fuck buddy,...cynthia
1 msg	Wanna be more man? Check this dude
1 msg	Securing Private Keys
1 msg	Top software brands and independece you can trust.
5 msg	Security team support
8 msg	sudo fix
14 msg	handling private keys
1 msg	Join the thousands already saving. Save up to 5...
1 msg	Rolex is not for everyone, it`s for you Faustino
83 msg	Bad press related to (missing) Debian security

proposal: track CAN ids in changelogs
\ Filippo Giunchedi (26 Jun 2005)
. \ Javier Fernбndez-Sanguino Peсa (26 Jun 2005)

6 msg	getting the MAC address from an ip
5 msg	Missing debsums and mismatches
1 msg	Хотите заказать рекламу?
9 msg	SpamAssassin DOS-Fix anytime soon ?

Subject:	Re: proposal: track CAN ids in changelogs
Group:	Debian-security
From:	Javier Fernбndez-Sanguino Peсa
Date:	26 Jun 2005

On Sun, Jun 26, 2005 at 05:22:27PM +0200, Filippo Giunchedi wrote:
> [sorry for crossposting, but this is relevant to both ML, please cc]
>
> Hi,
> while searching bugtraq for not-yet-fixed security bugs, I found out that there
> is no reliable way (apart from testing yourself) if a package has been patched
> for a specific security advisory.

Yes there is, for stable, through the cross-references published at the web
site: www.debian.org/security/crossreferences.

> It would be fine to include as best practice for maintainers fixing security
> bugs to include something (Fixes: <CAN-ID-or-something>) in the changelog so it
> is easy to track such changes.

The security team has been asking maintainers to do so when uploading to
sid for quite some time. And that info is used by the testing security team
to keep track of CVEs not fixed in testing but fixed in sid.

Regards

Javier