On Mon, May 08, 2017 at 04:43:13PM +0200, Julien Lepiller wrote:
> Hi,
> 
> here is a patch to update libetpan to version 1.8. This update also
> fixes CVE-2017-8825. Should it be mentionned in the commit log?

Thanks! Yes, I would add [fixes CVE-2017-8825] to the end of the first
line of the commit message.

I bet the majority of updates include fixes for exploitable bugs (at
least for C programs), but it's still useful to include these bug
identifiers in the commit log, when we know about them.