Quote from: franco on June 18, 2026, 09:46:28 AMWe may list CVEs for other vendors, but only if no better reference exists. The FreeBSD advisory is clearly better than the CVE information. It's not even public yet:
All I'm asking is for you to even just mention the CVE number in the release notes; it makes it much easier to verify with certainty that a specific issue is patched in a release. Like so:
Quotesrc: arbitrary file overwrite via the KTLS receive path (CVE-2026-45257, FreeBSD-SA-26:26.ktls)[8]
"