On Thu, Feb 14, 2008 at 09:25:16AM -0700, Jake Edge wrote: > (sorry if this starts a new thread, you folks answered before I had a > chance to subscribe :) > > Jesse wrote: > > > As for ruby-gnome2's other CVE fix, that was released earlier in a > > different update, > > https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4216 > > So this getting into our system is an artifact of how we process the > alerts. Our program looks for CVE references anywhere in the alert and > believes the alert fixes those CVEs. In this case (and presumably others), > that CVE was fixed in an earlier release and only appeared in the Changelog > in the message. > > I have sometimes wondered about those changelogs. It would seem to me that > unless they only refer to the changes since the last release, they are > fairly confusing to someone reading them. Is there a way for a human (or > program) to determine which of those changelog entries actually correspond > to the changes in the release that goes with the alert? The changelogs are /supposed/ to be from the last time that package was updated. However, there are still some bugs that need to get worked out in the generation of these. luke -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
