"Recommended" status of Leap update openSUSE-2020-1390

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"Recommended" status of Leap update openSUSE-2020-1390

Alexander Shchadilov
Hello,
openSUSE-2020-1390 patch for "libmediainfo" and "mediainfo" fixes some
CVE issue but is classified as "recommended" and not as "security".
https://bugzilla.suse.com/show_bug.cgi?id=1173630
https://lists.opensuse.org/opensuse-updates/2020-09/msg00077.html

Does this mean that "security" status is restricted to updates that
modify critical software from some closed list (a list of packages
that is tracked by the security team)?

Best wishes,
Alexander Shchadilov
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "Recommended" status of Leap update openSUSE-2020-1390

Marcus Meissner
On Sat, Sep 12, 2020 at 10:06:23PM +0300, Alexander Shchadilov wrote:
> Hello,
> openSUSE-2020-1390 patch for "libmediainfo" and "mediainfo" fixes some
> CVE issue but is classified as "recommended" and not as "security".
> https://bugzilla.suse.com/show_bug.cgi?id=1173630
> https://lists.opensuse.org/opensuse-updates/2020-09/msg00077.html
>
> Does this mean that "security" status is restricted to updates that
> modify critical software from some closed list (a list of packages
> that is tracked by the security team)?

We depend a bit on the packagers also mentioning the CVE in their
changes entries (and not just this line:

- Add libmediainfo-MpegPs.patch (fixes boo#1173630)

)

As it was not correctly submitted (without CVE in changes entry)
I missed this while processing it.

So if you have a CVE, please always also add it to the .changes entry,
our automation then automatically marks it as security.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]