whole pile o' updates
Luke Macken
lmacken at redhat.com
Tue Feb 19 15:05:38 UTC 2008
On Thu, Feb 14, 2008 at 09:25:16AM -0700, Jake Edge wrote:
> (sorry if this starts a new thread, you folks answered before I had a
> chance to subscribe :)
>
> Jesse wrote:
>
> > As for ruby-gnome2's other CVE fix, that was released earlier in a
> > different update,
> > https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4216
>
> So this getting into our system is an artifact of how we process the
> alerts. Our program looks for CVE references anywhere in the alert and
> believes the alert fixes those CVEs. In this case (and presumably others),
> that CVE was fixed in an earlier release and only appeared in the Changelog
> in the message.
>
> I have sometimes wondered about those changelogs. It would seem to me that
> unless they only refer to the changes since the last release, they are
> fairly confusing to someone reading them. Is there a way for a human (or
> program) to determine which of those changelog entries actually correspond
> to the changes in the release that goes with the alert?
The changelogs are /supposed/ to be from the last time that package was
updated. However, there are still some bugs that need to get worked out
in the generation of these.
luke
More information about the Fedora-security-list
mailing list