From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A119821168228 for ; Wed, 17 Oct 2018 11:27:39 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4BCB281E05; Wed, 17 Oct 2018 18:27:38 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-50.rdu2.redhat.com [10.10.120.50]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E06E61379; Wed, 17 Oct 2018 18:27:34 +0000 (UTC) To: "Zeng, Star" , Prasad Pandit Cc: Vincent Zimmer , edk2-devel@lists.01.org, Steve McIntyre <93sam@debian.org>, Peter Jones , Jiewen Yao , Michael Kinney , Gary Lin , Chao Zhang , "Cetola, Stephano" References: <1539657661-57656-1-git-send-email-star.zeng@intel.com> <75a8ff0b-dac9-dbb4-a792-1085a0b73699@redhat.com> <2d9e4a50-be84-e501-b4b6-651367769e91@intel.com> From: Laszlo Ersek Message-ID: <8f86065a-1170-9ad4-15f2-15f38bd54781@redhat.com> Date: Wed, 17 Oct 2018 20:27:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <2d9e4a50-be84-e501-b4b6-651367769e91@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Wed, 17 Oct 2018 18:27:38 +0000 (UTC) Subject: Re: CVE-2018-3613 [was: MdeModulePkg Variable: Fix Timestamp zeroing issue on APPEND_WRITE] X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Oct 2018 18:27:39 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit +Stephano On 10/17/18 16:58, Zeng, Star wrote: > On 2018/10/17 21:10, Laszlo Ersek wrote: >> I have requested earlier [1], and now I'm doing so again, that CVE fixes >> please all mention the CVE number in the *subject line*. When people >> look at the commit log, or even just patch traffic on this list, CVE >> numbers should *jump* at them. > > Good request. How about we document it as requirement at somewhere > (Contributions.txt?)? Then people can easily find the requirement and > follow it. I agree, we should have documented it somewhere explicitly. Stephano, can you please add a note to the "well-formed commit messages" topic that CVE number should be documented in the subject lines? My apologies for not thinking about this earlier. >> http://mid.mail-archive.com/e62f7104-e341-6c7f-1af5-2130f161f111@redhat.com >> > > Sorry, I could not access it. I'm unsure if you mean that you didn't see that message when I posted it, or else that you've now tried to follow the link, but it doesn't work for you. Does the official edk2-devel archive work perhaps? Here's a link within that, to the same message: https://lists.01.org/pipermail/edk2-devel/2018-August/028700.html Please see my request (1). Either way -- I totally agree this hasn't been documented appropriately before. Thanks Laszlo