On Mon, 11 Jun 2007 13:24:34 -0400
Josh Bressers <bressers@xxxxxxxxxx> wrote:
...snipp..
> Ideally, yes. I however don't want people to duplicate work. I
> suspect the easiest way is going to be for someone to just mark a
> block of ids as what they're working on. Something like
>
> **** bressers ****
> CVE blah blah blah
> ... ===> Lots of CVE ids here
> CVE blah blah blah
> **** bressers ****
>
> Check in some bits to make it known you're on it, then start wading
> through the manure.
ok. Looking at the nice big pile you checked in, I think we might be
served better by folks taking particular packages. Ie, if you are
already examining a package for one CVE, it might be easier to just
keep going on that package rather than switch to another one and have
to pull up more cvs files, bugzilla, etc.
Here's the top 10 of the ones you just checked in today:
30 (php)
14 (helixplayer)
11 (tomcat)
8 (fedoradirectoryserver)
7 (flash-plugin)
7 (acroread)
6 (openoffice.org)
6 (kernel)
5 (xscreensaver)
5 (wu-ftpd)
Should all the flash-plugin, acroread and wu-ftpd ones be marked
"ignore" since we don't ship them? Or removed?
Also, what level of scrutiny should we use in checking for fixes?
If a changelog lists the CVE being fixed, mark it? Should we check the
patch against upstream or other distros fix?
>
> Thanks.
>
kevin
Attachment:
signature.asc
Description: PGP signature
-- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
