On Mon, Sep 16, 2002 at 08:12:43AM +0200, Thomas Lamy wrote:
on 7.3 (openssl-0.9.6b-150): * Fri Jul 26 2002 - okir@suse.de
- Added security patch for remotely exploitable buffer overflows
I think it would be wise to include reusable information in the changelog, such as CVE-IDs, CERT Advisory numbers, and of course SuSE SA number(s). This way one must not further investigate "which buffer overflow was announced the last 30 days before the patch was made".
Yes, but I think the changelog isn't really the place to put this sort of thing. If you look at our advisory though you'll notice that the header section says: Package: openssl Announcement-ID: SuSE-SA:2002:027 .. bla bla bla .. Cross References: CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, CERT Advisory CA-2002-23 So you can see that it lists the CVE and CERT ids as you suggest (with the exception that when we published the advisory, the vulnerabilities had just CAN numbers, and had not been approved by the CVE board). Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann