Lubomir Kundrak wrote:
On Sun, 2008-02-24 at 14:09 -0700, Jake Edge wrote:
If it is 'easy', it would be helpful to update readers to have the CVE
references be links to CVE or NVD rather than just link to the redhat
bugzilla ...
Our decision was not to, because:
1.) Sometimes we get the CVE name after we ship the update, and unlike
the update mails, we can easily update bugzilla.
2.) In most cases our bugzilla contains verbatim copy of the CVE text,
and in all cases it has links to CVE, NVD and alias that is equal to the
CVE name. Our bugzilla even substitutes the CVE names with links to CVE.
Ok, I am looking at today's (or maybe late yesterday's) report for qemu
for F7: FEDORA-2008-2001
It doesn't list the CVE number, so I click through to bugzilla, which
does list the CVE number (as an Alias), but doesn't link to CVE/NVD
(which is just a placeholder at this point anyway, but will presumably
be updated soon).
Does the changelog reflect the changes in this release? Which would
imply that there are fixes for other, non-security bugs in the release.
It just strikes me as difficult for people receiving the advisories (or
reading them on our or other sites) to figure out the *exact* bug being
fixed without a CVE reference in the advisory. Maybe the timing is too
tight, but that is very unfortunate.
jake
--
Jake Edge - LWN - jake@xxxxxxx - http://lwn.net
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
