User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools


mantisbt:handling_security_problems

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
mantisbt:handling_security_problems [2015/02/13 18:08] – Use InterWiki syntax for MantisBT bug links dregadmantisbt:handling_security_problems [2017/03/10 07:26] – [Obtaining a CVE ID] New process to request CVE via MITRE's form dregad
Line 48: Line 48:
     * Set //Target Version// to the next stable release (e.g. "1.2.x")     * Set //Target Version// to the next stable release (e.g. "1.2.x")
     * Make sure it is indeed **Private**     * Make sure it is indeed **Private**
-  - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer's mailing list to avoid early disclosure.)) (use the //Send Reminder// feature)+  - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer's mailing list to avoid early disclosure.)) (use //@mentions// or the //Send Reminder// feature)
   - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.))   - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.))
-  - The original reporter as well should test the fix to confirm resolution+  - The original reporter should test the fix to confirm resolution
   - If possible, at least one other MantisBT developer should review and test the fix as well   - If possible, at least one other MantisBT developer should review and test the fix as well
  
Line 75: Line 75:
 ==== Obtaining a CVE ID ==== ==== Obtaining a CVE ID ====
  
-Refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for the process to request a CVE ID.+Fill the form at https://cveform.mitre.org/, following indications on the page.
  
-The request must include:+  * //Vendor of the product// and //Product// should be set to **MantisBT** 
 +  * a couple of examples for the //Version// field 
 +    - Single version: 2.1.0 and later; fixed in 2.2.1 
 +    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 
 +  * //Affected components//: the MantisBT page(s) where the problem exists 
 +  * //References// should include (if public) links to 
 +    - the MantisBT issue  
 +    - Github commit(s) with patches fixing the issue
  
-  - description of the issue, including but not limited to +Once the form has been submittedthe system will send a confirmation e-mail with a request number; after reviewMITRE'CVE assignment team will send another e-mail with the CVE IDFrom experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSSsql injection... +
-     * which area of Mantis are affected +
-     * potential consequences of exploiting the bug +
-     * indication on severity +
-  - affected MantisBT version(s+
-  link to MantisBT issue +
-  - optionally, information about the reporter (if available and they do not refuse to be quoted) +
-  - information about the patch (i.e. where it can be found, commit SHA) +
-  - optionallyattach the patch itself+
  
-Here are a few **examples** of public CVE requests: +Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for further information. 
 + 
 +Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/11351|3]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/11351|3]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]].  [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]]. 
- 
-From experience, the CVE ID usually gets assigned within one business day, but sometimes it takes up to a week. 
  
  
mantisbt/handling_security_problems.txt · Last modified: 2021/07/14 12:08 by dregad

Driven by DokuWiki