Bruce Momjian wrote:
> If someone wants to create a separate web page to track fixes related to
> CVE number, that is fine. My guess is that most people reading the
> release notes don't care about the CVE numbers themselves (just that
> each release has all known security bugs fixed), and most bugs that are
> fixed don't have CVE numbers at commit time.
I think its quite reasonable for the one line description of a postgres
bug to reference "CVE-2005-0247 multiple buffer overflows..." or
whatever, I guess it kind of depends on which came first... if the CVE
security item came first, and was entered into the PGSQL bug tracker,
then this makes a LOT of sense. if the CVE folks create their entry
AFTER the bug has been entered into PGSQL, it makes less sense.