mantisbt:handling_security_problems
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
mantisbt:handling_security_problems [2015/02/13 18:08] – Use InterWiki syntax for MantisBT bug links dregad | mantisbt:handling_security_problems [2017/03/10 07:26] – [Obtaining a CVE ID] New process to request CVE via MITRE's form dregad | ||
---|---|---|---|
Line 48: | Line 48: | ||
* Set //Target Version// to the next stable release (e.g. " | * Set //Target Version// to the next stable release (e.g. " | ||
* Make sure it is indeed **Private** | * Make sure it is indeed **Private** | ||
- | - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer' | + | - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer' |
- Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.)) | - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.)) | ||
- | - The original reporter | + | - The original reporter should test the fix to confirm resolution |
- If possible, at least one other MantisBT developer should review and test the fix as well | - If possible, at least one other MantisBT developer should review and test the fix as well | ||
Line 75: | Line 75: | ||
==== Obtaining a CVE ID ==== | ==== Obtaining a CVE ID ==== | ||
- | Refer to Kurt Seifried' | + | Fill the form at https://cveform.mitre.org/, following indications on the page. |
- | The request must include: | + | * //Vendor of the product// and //Product// should be set to **MantisBT** |
+ | * a couple of examples for the //Version// field: | ||
+ | - Single version: 2.1.0 and later; fixed in 2.2.1 | ||
+ | - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 | ||
+ | * //Affected components//: | ||
+ | * // | ||
+ | - the MantisBT issue | ||
+ | - Github commit(s) with patches fixing the issue | ||
- | - description of the issue, including but not limited to | + | Once the form has been submitted, the system will send a confirmation |
- | * type, e.g. XSS, sql injection... | + | |
- | * which area of Mantis are affected | + | |
- | * potential consequences of exploiting the bug | + | |
- | * indication on severity | + | |
- | - affected MantisBT version(s) | + | |
- | | + | |
- | - optionally, information about the reporter (if available and they do not refuse to be quoted) | + | |
- | - information about the patch (i.e. where it can be found, commit SHA) | + | |
- | - optionally, attach | + | |
- | Here are a few **examples** of public CVE requests: | + | Note that There are alternatives to request CVE IDs; refer to Kurt Seifried' |
+ | |||
+ | Here are a few **examples** of public CVE requests, requested via the // | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
- | |||
- | From experience, the CVE ID usually gets assigned within one business day, but sometimes it takes up to a week. | ||
mantisbt/handling_security_problems.txt · Last modified: 2021/07/14 12:08 by dregad