Hi Daniele!
[Bug submitters don't automatically receive BTS message copies. You need
to CC them explicitly. I saw your message only by chance...]
* Daniele Tricoli <[email protected]>, 2014-09-17, 01:06:
To acknowledge the fix of this security bug, I should put something in
the changelog anyway, right?
Something like this:
* Acknowledge fix for CVE-2014-1829 and CVE-2014-1830 in 2.3.0-1
(Closes: #733108)
Developer reference[ยน] says: "When closing security bugs include CVE
numbers as well as the Closes: #nnnnn. This is useful for the security
team to track vulnerabilities. If an upload is made to fix the bug
before the advisory ID is known, it is encouraged to modify the
historical changelog entry with the next upload."
As the DevRef suggests, you should retroactively add the CVE reference
to the changelog entry for 2.3.0-1, so don't mention "in 2.3.0-1".
So using "Closes: #733108" although the bug is arleady closed seems ok
to me, is that right?
Yup, that should be fine.
--
Jakub Wilk
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
