It is confusing currently. The updates should be announced by a single mail. More on this issue:
https://www.redhat.com/archives/fedora-security-list/2008-February/msg00004.html
Can you throw together a mockup of how you want them to look ? I'd be happy to implement it.
Fedora Security and Bug fix Update Notification }}}
Sometimes new releases contain both Enhancements and Bug fixes. Or security fixes and other bug fixes. This is not particularly related to security updates though
{{{ Name: FEDORA-2008-1535 Time: 2008-02-13 04:18:18 Product: Fedora 8 }}}
Maybe these can be gotten rid of. The title could contain the update number, and the sentence below can end with "...for Fedora 8". Mail header contains date and time.
The following packages are now available: }}}
Or {{{The following package is now available:}}}
{{{ openvrml-0.17.5-2.fc8 VRML/X3D runtime library
gnome-python2-extras-2.19.1-12.fc8 The sources for additional. PyGNOME Python extension modules.
devhelp-0.16.1-5.fc8 API document browser
yelp-2.20.0-7.fc8 A system documentation reader from the Gnome project
galeon-2.0.4-1.fc8.2 GNOME2 Web browser based on Mozilla
gnome-web-photo-0.3-8.fc8 HTML pages thumbnailer
epiphany-2.20.2-3.fc8 GNOME web browser based on the Mozilla rendering engine
ruby-gnome2-0.16.0-20.fc8 Ruby binding of libgnome/libgnomeui-2.x
epiphany-extensions-2.20.1-5.fc8 Extensions for Epiphany, the GNOME web browser
liferea-1.4.11-2.fc8 An RSS/RDF feed reader
kazehakase-0.5.2-1.fc8.2 Kazehakase browser
firefox-2.0.0.12-1.fc8 Mozilla Firefox Web browser.
Miro-1.1-3.fc8 Miro - Internet TV Player
gtkmozembedmm-1.4.2.cvs20060817-18.fc8 C++ wrapper for GtkMozembed
chmsee-1.0.0-1.28.fc8 A Gtk+2 CHM document viewer
blam-1.8.3-13.fc8 An RSS/RDF feed reader }}}
Yep this section looks ugly here. Mozilla ABI in-stability is ugly.
Update Information:
Several flaws were found in the way Firefox processed certain malformed web content.
A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)
Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)
A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417)
A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418)
A flaw was found in the way Firefox saves certain text files. If a website offer a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592)
Users of firefox are advised to upgrade to these updated packages, which contain updated packages to resolve these issues. }}}
This is Red Hat styled advisory text and is perfectly ok for large updates of popular updates like this. For simple ones, References with good bug names and CVE names are considered to be good enough.
Either bug submitter of Bodhi formatted that too badly. It should at the very least obey line breaks (especially when they are doubled and fold lines ad columnt 75. Bodhi should provide preview of the update mail to the maintainer.
This is probably related to https://fedorahosted.org/fedora-infrastructure/ticket/282
Also the firefox update text was poor at explaining why are other packages than firefox being updated. If this problem repeats in future, the Security Response Team will fix the text prior to giving approval.
References:
[ 1 ] Bug #431732 - CVE-2008-0412 Mozilla layout engine crashes https://bugzilla.redhat.com/show_bug.cgi?id=431732 [ 2 ] Bug #431733 - CVE-2008-0413 Mozilla javascript engine crashes https://bugzilla.redhat.com/show_bug.cgi?id=431733 [ 3 ] Bug #432040 - CVE-2008-0414 mozilla: multiple file input focus stealing vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=432040 [ 4 ] Bug #431739 - CVE-2008-0415 Mozilla arbitrary code execution https://bugzilla.redhat.com/show_bug.cgi?id=431739 [ 5 ] Bug #431742 - CVE-2008-0417 Mozilla arbitrary code execution https://bugzilla.redhat.com/show_bug.cgi?id=431742 [ 6 ] Bug #431748 - CVE-2008-0418 Mozilla chrome: directory traversal https://bugzilla.redhat.com/show_bug.cgi?id=431748 [ 7 ] Bug #431749 - CVE-2008-0419 Mozilla arbitrary code execution https://bugzilla.redhat.com/show_bug.cgi?id=431749 [ 8 ] Bug #431751 - CVE-2008-0591 Mozilla information disclosure flaw https://bugzilla.redhat.com/show_bug.cgi?id=431751 [ 9 ] Bug #431752 - CVE-2008-0592 Mozilla text file mishandling https://bugzilla.redhat.com/show_bug.cgi?id=431752 [ 10 ] Bug #431756 - CVE-2008-0593 Mozilla URL token stealing flaw https://bugzilla.redhat.com/show_bug.cgi?id=431756 [ 11 ] Bug #432036 - CVE-2008-0594 mozilla: web forgery warning may not be displayed https://bugzilla.redhat.com/show_bug.cgi?id=432036 }}}
This is done perfectly and if anyone's unfomfortable with opening bugzilla links he has CVE names and more-or-less sufficient explanation of the bug. If that's not enought something would be wrong with him.
This update can be installed with the "yum" update program. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys }}}
I removed the "{{{Use su -c 'yum update gnome-web-photo' at the command line.}}}"
}}}
I skipped changelogs. They can not be easily incorporated here.
Has there been any work on this ticket recently?
Migrated to bodhi's trac: https://fedorahosted.org/bodhi/ticket/723
Log in to comment on this ticket.