From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120]) by mx.groups.io with SMTP id smtpd.web09.5723.1581925604139358543 for ; Sun, 16 Feb 2020 23:46:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=g1vGtrSU; spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581925603; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=udG21hArF02iQaKYVFy1NqEOhu4xbJrXfIhFloXje5E=; b=g1vGtrSUoONmGiemkvPxynrlPWT0G/T/6pUi9+y76xNrGFd6/1cdIPr+BBzh9FJR4khb4Z Lc+uEHvlWFndExCN9VhW4qNuvHZkq63y6ervvAoV4XtVC4IjlLd6EVfWgMn83Jyfp/cCph 6yL6LFRoovUUvahqFCElgi6GHPYKnwc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-342-Gafep4e7OCu32p7Yre21tA-1; Mon, 17 Feb 2020 02:46:36 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C44D38017CC; Mon, 17 Feb 2020 07:46:34 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-195.ams2.redhat.com [10.36.116.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id CA36A5C10D; Mon, 17 Feb 2020 07:46:32 +0000 (UTC) Subject: Re: [edk2-announce] Soft Feature Freeze starts now for edk2-stable202002 To: tim.lewis@insyde.com, "'Gao, Liming'" , devel@edk2.groups.io, announce@edk2.groups.io Cc: "'Guptha, Soumya K'" , "'Kinney, Michael D'" , afish@apple.com, leif.lindholm@linaro.org References: <0a4d01d5e556$1a279ed0$4e76dc70$@insyde.com> From: "Laszlo Ersek" Message-ID: Date: Mon, 17 Feb 2020 08:46:31 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <0a4d01d5e556$1a279ed0$4e76dc70$@insyde.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: Gafep4e7OCu32p7Yre21tA-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 02/17/20 06:49, tim.lewis@insyde.com wrote: > Liming -- > > Thanks for the pointer. > > The reason I ask is that many users of open source projects such as EDKII > scan the releases for CVE numbers in order to make sure that critical > components get updated. This is due to the fact that CVEs often need to be > reported to downstream users. The Bugzilla list is a little hidden, since > these CVE fixes are not called out directly in the wiki page. It would be > much easier if the BZ items that are related to security fixes are promoted > directly to the wiki page, not just available through a BZ query. * Any commit that fixes a CVE is supposed to carry the CVE ID in its subject, in the git history. So if you do $ git log --oneline --reverse edk2-stable201911..master | grep CVE that should give you the list. Right now, it gives me: - CVE-2019-14563 - CVE-2019-14586 - CVE-2019-14558 * For CVE patches pending review, the mailing list can be searched similarly. (E.g. "posted after a certain date, plus has both "CVE" and "PATCH" in subject.) The pending fixes seem to be for: - CVE-2019-14575 - CVE-2019-14587 - CVE-2019-14559 (Your question is precisely why I've always asked for CVE IDs in patch subjects.) Thanks Laszlo