Thread: CVE Links are broken on the PG 10.1 news page
here : https://www.postgresql.org/about/news/1801/ The 3 CVE links lead to a 404 page on RH website : https://access.redhat.com/security/cve/CVE-2017-12172 https://access.redhat.com/security/cve/CVE-2017-15098 https://access.redhat.com/security/cve/CVE-2017-15099 -- Damien Clochard
> On 10 Nov 2017, at 11:15, Damien Clochard <damien@dalibo.info> wrote: > > here : > https://www.postgresql.org/about/news/1801/ > > The 3 CVE links lead to a 404 page on RH website : > > https://access.redhat.com/security/cve/CVE-2017-12172 > https://access.redhat.com/security/cve/CVE-2017-15098 > https://access.redhat.com/security/cve/CVE-2017-15099 IIRC that’s the case with every security release, the Redhat site aren’t publishing them immediately but will eventually (soonish) have them. cheers ./daniel
Le 10.11.2017 11:17, Daniel Gustafsson a écrit : >> On 10 Nov 2017, at 11:15, Damien Clochard <damien@dalibo.info> wrote: >> >> here : >> https://www.postgresql.org/about/news/1801/ >> >> The 3 CVE links lead to a 404 page on RH website : >> >> https://access.redhat.com/security/cve/CVE-2017-12172 >> https://access.redhat.com/security/cve/CVE-2017-15098 >> https://access.redhat.com/security/cve/CVE-2017-15099 > > IIRC that’s the case with every security release, the Redhat site > aren’t > publishing them immediately but will eventually (soonish) have them. > Ok I was not aware of that. It makes sense but maybe we could had this explanation in the release announcement so that people like me don't get confused by the broken links ? :) -- Damien Clochard
> On 10 Nov 2017, at 12:14, Damien Clochard <damien@dalibo.info> wrote: > > Le 10.11.2017 11:17, Daniel Gustafsson a écrit : >>> On 10 Nov 2017, at 11:15, Damien Clochard <damien@dalibo.info> wrote: >>> here : >>> https://www.postgresql.org/about/news/1801/ >>> The 3 CVE links lead to a 404 page on RH website : >>> https://access.redhat.com/security/cve/CVE-2017-12172 >>> https://access.redhat.com/security/cve/CVE-2017-15098 >>> https://access.redhat.com/security/cve/CVE-2017-15099 >> IIRC that’s the case with every security release, the Redhat site aren’t >> publishing them immediately but will eventually (soonish) have them. > > Ok I was not aware of that. It makes sense but maybe we could had this explanation in the release announcement so thatpeople like me don't get confused by the broken links ? :) Even better would probably be to not make them actual links until the target URL exists. cheers ./daniel
On Fri, Nov 10, 2017 at 2:56 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
> On 10 Nov 2017, at 12:14, Damien Clochard <damien@dalibo.info> wrote:
>
> Le 10.11.2017 11:17, Daniel Gustafsson a écrit :
>>> On 10 Nov 2017, at 11:15, Damien Clochard <damien@dalibo.info> wrote:
>>> here :
>>> https://www.postgresql.org/about/news/1801/
>>> The 3 CVE links lead to a 404 page on RH website :
>>> https://access.redhat.com/security/cve/CVE-2017-12172
>>> https://access.redhat.com/security/cve/CVE-2017-15098
>>> https://access.redhat.com/security/cve/CVE-2017-15099
>> IIRC that’s the case with every security release, the Redhat site aren’t
>> publishing them immediately but will eventually (soonish) have them.
>
> Ok I was not aware of that. It makes sense but maybe we could had this explanation in the release announcement so that people like me don't get confused by the broken links ? :)
Even better would probably be to not make them actual links until the target
URL exists.
We used to do it that way. Which then meant they usually didn't get updated until the next round of releases, because it got forgotten :/
Magnus Hagander <magnus@hagander.net> writes: > On Fri, Nov 10, 2017 at 2:56 PM, Daniel Gustafsson <daniel@yesql.se> wrote: >> On 10 Nov 2017, at 12:14, Damien Clochard <damien@dalibo.info> wrote: >>> The 3 CVE links lead to a 404 page on RH website : >>> https://access.redhat.com/security/cve/CVE-2017-12172 >>> https://access.redhat.com/security/cve/CVE-2017-15098 >>> https://access.redhat.com/security/cve/CVE-2017-15099 >> Even better would probably be to not make them actual links until the >> target URL exists. > We used to do it that way. Which then meant they usually didn't get updated > until the next round of releases, because it got forgotten :/ FWIW, I see that -12172 just got de-embargoed. Probably the other two will follow shortly. regards, tom lane
> On Nov 10, 2017, at 11:32 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Magnus Hagander <magnus@hagander.net> writes: >> On Fri, Nov 10, 2017 at 2:56 PM, Daniel Gustafsson <daniel@yesql.se> wrote: >>> On 10 Nov 2017, at 12:14, Damien Clochard <damien@dalibo.info> wrote: >>>> The 3 CVE links lead to a 404 page on RH website : >>>> https://access.redhat.com/security/cve/CVE-2017-12172 >>>> https://access.redhat.com/security/cve/CVE-2017-15098 >>>> https://access.redhat.com/security/cve/CVE-2017-15099 > >>> Even better would probably be to not make them actual links until the >>> target URL exists. > >> We used to do it that way. Which then meant they usually didn't get updated >> until the next round of releases, because it got forgotten :/ > > FWIW, I see that -12172 just got de-embargoed. Probably the other two > will follow shortly. Interestingly enough, when I checked post-release yesterday, they were available, so they must have been re-embargoed shortlythereafter. Jonathan
On Fri, Nov 10, 2017 at 5:55 PM, Jonathan S. Katz <jkatz@postgresql.org> wrote:
> On Nov 10, 2017, at 11:32 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Magnus Hagander <magnus@hagander.net> writes:
>> On Fri, Nov 10, 2017 at 2:56 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
>>> On 10 Nov 2017, at 12:14, Damien Clochard <damien@dalibo.info> wrote:
>>>> The 3 CVE links lead to a 404 page on RH website :
>>>> https://access.redhat.com/security/cve/CVE-2017-12172
>>>> https://access.redhat.com/security/cve/CVE-2017-15098
>>>> https://access.redhat.com/security/cve/CVE-2017-15099
>
>>> Even better would probably be to not make them actual links until the
>>> target URL exists.
>
>> We used to do it that way. Which then meant they usually didn't get updated
>> until the next round of releases, because it got forgotten :/
>
> FWIW, I see that -12172 just got de-embargoed. Probably the other two
> will follow shortly.
Interestingly enough, when I checked post-release yesterday, they were available, so they must have been re-embargoed shortly thereafter.
I think the right thing to do here will materialize itself once I have finished off the branch which databaseifies the list. When we've reached that point we can have a cronjob that pings the redhat urls and turns it into a link only once they stop returning 404.
Until then I think we're best off just keeping it the way it is now.