Hi, On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote: > Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso: > > Hi Markus, > > > > On Tue, Apr 11, 2017 at 02:18:14PM +0000, Debian Bug Tracking System wrote: > >> Processing control commands: > >> > >>> merge 860068 860069 860070 860071 > >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647 > >> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648 > >> Marked as found in versions tomcat8/8.5.11-1. > >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647 > >> Marked as found in versions tomcat8/8.5.11-1. > >> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651 > >> Marked as found in versions tomcat8/8.0.14-1. > >> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650 > >> Marked as found in versions tomcat8/8.0.14-1. > >> Merged 860068 860069 860070 860071 > > > > Why the merge? I was a exlicit choice to open 4 bugs due to the > > different CVE's and different affected versions (note that two affect > > 8.0.14-1 and two only 8.5.11-1 but not the version in jessie). > > Hi, > [...] > I suggest to use the found/fixed tags as > needed.
NB: Which is exactly what I did (see the different found versions), to track correctly the version as well in BTS. But now it would treat e.g. CVE-2017-5650 as well as found in 8.0.14-1 which is not true. Anyway, thanks a lot for taking care of those CVEs and fixing them! Regards, Salvatore
