Re: Fix nan functions handling of payload strings (bug 16961, bug 16962)

[Joseph Myers <joseph at codesourcery dot com>]

On Fri, 4 Dec 2015, Carlos O'Donell wrote:

> The NEWS entry looks good to me.
> 
> However, I agree with Florian that we need to call out the security related
> changes in a distinct section e.g. "Security related changes:", though I'm
> open to suggestions for how to name it or if it comes first or last in the
> list of changes.

I've committed the patch with the entry in such a section.

> Additionally I think it would be nice to put security+ bugs in their own
> bug list, which involves enhancing or running a different script with query
> to get the list of those bugs.

If we want to add such an option to list-fixed-bugs.py, we should first 
review <https://sourceware.org/ml/libc-alpha/2015-11/msg00191.html> which 
makes it use argparse.  Then, you can add 
&f1=flagtypes.name&o1=substring&v1=security%2B to the URL to get security+ 
bugs (currently three such bugs are listed, 16962, 18240, and 18928, so a 
NEWS entry needs adding for 18240 and that for 18928 (LD_POINTER_GUARD) 
needs moving into the new section and updating to list the reporter.

However, if we're giving each such bug its own NEWS item I don't see the 
use in also having the abbreviated list of such bugs (making the script 
generate it may be helpful, however, in that the release instructions can 
say "make sure each bug listed by list-fixed-bugs.py -s <version> has its 
own NEWS item in that section, naming the reporter and giving the CVE 
identifier").  We can put bug numbers and CVE identifiers in the bugs' own 
NEWS items if we wish.

-- 
Joseph S. Myers
joseph@codesourcery.com