On 10/19/18 16:40, Gao, Liming wrote: > > I don't find the detail information for each CVE. BZ 686 attaches one > doc to list all issues. So, I fix them together. I think one patch is > allowed to include more than one CVEs. Even if with single CVE, patch > subject may be longer than 80 characters. If we need strictly follow > subject length rule, I suggest to mention CVE FIX in subject, and > list CVE number info in the commit message. User can use git command > to get full commit log and know which commit is CVE fix. For > example: MdePkg/UefiDecompressLib: fix potential buffer overflow (CVE > FIX)
OK. Thanks! Laszlo _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
