Merge ~flor-cabral/ubuntu-cve-tracker:CVE-2021-37146 into ubuntu-cve-tracker:master
Proposed by
Florencia Cabral
Status: | Superseded |
---|---|
Proposed branch: | ~flor-cabral/ubuntu-cve-tracker:CVE-2021-37146 |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
10 lines (+2/-0) 1 file modified
active/CVE-2021-37146 (+2/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Eduardo Barretto | Needs Fixing | ||
Review via email: mp+430402@code.launchpad.net |
Commit message
Add status for ROS ESM packages
Description of the change
Add statuses for Xenial (ROS Kinetic) and Bionic (ROS Melodic) distros for the ROS ESM supported packages ('ros-kinetic-
To post a comment you must log in.
There are quite a few things that needs fixing, but to give some more background, our package status line follow the pattern: /<release> _<source- pkg-name> : <status> xenial_ <source- pkg-name> : <status> <source- pkg-name> : <status>
<product>
For Ubuntu archive the product is 'ubuntu', and therefore it can be omitted. So
ubuntu/
is the same as
xenial_
For other products that are not ubuntu archive, you will need to specify then.
Therefore:
1. the ros-kinetic line should be like: esm/xenial_ ros-kinetic- ros-comm: not-affected (<reason>)
ros-
The product is ros-esm and it needs to be specified, otherwise this will be understood as ubuntu product.
You see I've included a reason there, we always try to say why a package is not-affected. It could be because it was fixed in a previous version, then we would say for example:
not-affected (1.2.3-1)
It could be that it is not affected because the vulnerable code does not exist in that package version that we have, then we would have:
not-affected (code not present)
2. The ros-melodic line has not only the same issue as above about the product, but also ros-melodic- ros-comm is not in the ros-esm- bionic- melodic- supported. txt at all. So you cannot have that line, if you do not have the package listed in the supported file. ros-comm to the supported file.
You will need to review and add if missing ros-melodic-
After you have done the above, the line will look like: esm/bionic_ ros-melodic- ros-comm: released (<version number>)
ros-
Every released status needs a version number after it, being the version number the version that you fixed the CVE.