What to do about CVE numbers
What to do about CVE numbers
Posted Oct 7, 2019 15:12 UTC (Mon) by geert (subscriber, #98403)In reply to: What to do about CVE numbers by epa
Parent article: What to do about CVE numbers
So it's not the vulnerabilities you're interested in, but the actual fixes.
Fixes can be identified uniquely by the commit ID in mainline. Backported commits in stable trees carry "Upstream commit foo" or "cherry picked from commit foo" lines, so the fixes can be tracked.
This also fixes the issue where a commit introduces multiple bugs, and you have multiple fixes.
Fixes can be identified uniquely by the commit ID in mainline. Backported commits in stable trees carry "Upstream commit foo" or "cherry picked from commit foo" lines, so the fixes can be tracked.
This also fixes the issue where a commit introduces multiple bugs, and you have multiple fixes.