This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate.
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=low # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1902011,1902012 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new
Okay, I have a few questions here. I created a patch to fix the original issue (https://bugzilla.redhat.com/show_bug.cgi?id=1897485) and pushed updates to all Fedora versions the same day the issue was reported. These updates referenced the original bug: https://bodhi.fedoraproject.org/updates/FEDORA-2020-4349e95c4f https://bodhi.fedoraproject.org/updates/FEDORA-2020-23432b7b72 https://bodhi.fedoraproject.org/updates/FEDORA-2020-27b168926a Am I expected to create a new update that changes nothing, but references these two tracking bugs that were created a week after the original updates reached stable? Additionally, the instructions in this bug instruct me to mention one or more CVE IDs. Is there even a CVE for this issue? If so, how would I know about it? Thanks for your guidance.
Hello, I create the flaws and trackers, the specific process for trackers is outside of my scope, @dmoppert would you please provide some guidance here? There already is a CVE and it automatically propagates into this tracker as well.
(In reply to code from comment #2) > Okay, I have a few questions here. > > I created a patch to fix the original issue > (https://bugzilla.redhat.com/show_bug.cgi?id=1897485) and pushed updates to > all Fedora versions the same day the issue was reported. These updates > referenced the original bug: > > https://bodhi.fedoraproject.org/updates/FEDORA-2020-4349e95c4f > https://bodhi.fedoraproject.org/updates/FEDORA-2020-23432b7b72 > https://bodhi.fedoraproject.org/updates/FEDORA-2020-27b168926a > > Am I expected to create a new update that changes nothing, but references > these two tracking bugs that were created a week after the original updates > reached stable? > > Additionally, the instructions in this bug instruct me to mention one or > more CVE IDs. Is there even a CVE for this issue? If so, how would I know > about it? > > Thanks for your guidance. Thank you working on the updated. This issue has been assigned CVE-2020-27818. The trackers are usually created to allow package maintainers to create updates since not all pkg maintainers follow security flaws. Also it is good to include them in the bodhi update, so that we know what pkgs fixes what. However since you have already created an update and it has reached stable, feel free to close this tracker as CLOSED:ERRATA. Hope this answers your questions?
Thanks, that is very helpful.
The patch is released upstream in version 3.0.0.