Re: CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE]

["Zeng, Star" <star.zeng@intel.com>]

Hi Laszlo,

On 2018/10/18 2:27, Laszlo Ersek wrote:
> +Stephano
> 
> On 10/17/18 16:58, Zeng, Star wrote:
>> On 2018/10/17 21:10, Laszlo Ersek wrote:
> 
>>> I have requested earlier [1], and now I'm doing so again, that CVE fixes
>>> please all mention the CVE number in the *subject line*. When people
>>> look at the commit log, or even just patch traffic on this list, CVE
>>> numbers should *jump* at them.
>>
>> Good request. How about we document it as requirement at somewhere
>> (Contributions.txt?)? Then people can easily find the requirement and
>> follow it.
> 
> I agree, we should have documented it somewhere explicitly.
> 
> Stephano, can you please add a note to the "well-formed commit messages"
> topic that CVE number should be documented in the subject lines? My
> apologies for not thinking about this earlier.

I will be glad to help broadcast this request and direct people to that 
document. :)

> 
>>> http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com
>>>
>>
>> Sorry, I could not access it.
> 
> I'm unsure if you mean that you didn't see that message when I posted
> it, or else that you've now tried to follow the link, but it doesn't
> work for you. Does the official edk2-devel archive work perhaps? Here's
> a link within that, to the same message:
> 
> https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html

The edk2-devel archive link works for me. But I did not review this 
thread and did not see the request. :(
FYI, I could not access the redhat archive link 
http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com, 
I just heard some other people also could not access it.


Thanks,
Star

> 
> Please see my request (1).
> 
> Either way -- I totally agree this hasn't been documented appropriately
> before.
> 
> Thanks
> Laszlo
>