On 1/13/20 2:47 PM, Neal Gompa wrote:
changelogs often include CVE information, especially useful when the
fixes are backported rather than included as part of the regular
update/release process.
How could the CVE info be available in the absence of changelogs?
In Fedora, this information has always been available as part of
updateinfo, just like with RHEL. Only CentOS seems to still not have
updateinfo published for advisories and including security
information.
You're right, the updateinfo capability in dnf is awesome!! Thanks for
bringing it up here, I missed the --cve option. I think specifically
dnf updateinfo list --cve=CVE-2015-2080
should list the packages that address this particular CVE, which would
be better than grepping changelog for CVEs, except that it didn't work
for me right now somehow. I found very little info about it, e.g. on
Oracle pages:
https://docs.oracle.com/en/operating-systems/oracle-linux/8/software-management/security-dnf.html
Is there a better description somewhere, maybe with some examples?
That said, the information could *still* be in changelogs if the
packager deems so.
I am all for automating all this---the CVE-in-changelog looked like a
manual effort on the part of some packagers, so if there's an automatic
workflow that takes care of it in the updateinfo records, I am all for
it and won't miss the changelogs.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
