Wiki

User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools

Trace:
mantisbt:handling_security_problems

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
mantisbt:handling_security_problems [2017/03/10 04:39] – [Once the issue has been logged] reference @mentions dregadmantisbt:handling_security_problems [2017/03/10 07:26] – [Obtaining a CVE ID] New process to request CVE via MITRE's form dregad
Line 75: Line 75:
 ==== Obtaining a CVE ID ==== ==== Obtaining a CVE ID ====
  
-Refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for the process to request a CVE ID.+Fill the form at https://cveform.mitre.org/, following indications on the page.
  
-The request must include:+  * //Vendor of the product// and //Product// should be set to **MantisBT** 
 +  * a couple of examples for the //Version// field 
 +    - Single version: 2.1.0 and later; fixed in 2.2.1 
 +    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 
 +  * //Affected components//: the MantisBT page(s) where the problem exists 
 +  * //References// should include (if public) links to 
 +    - the MantisBT issue  
 +    - Github commit(s) with patches fixing the issue
  
-  - description of the issue, including but not limited to +Once the form has been submittedthe system will send a confirmation e-mail with a request number; after reviewMITRE'CVE assignment team will send another e-mail with the CVE IDFrom experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSSsql injection... +
-     * which area of Mantis are affected +
-     * potential consequences of exploiting the bug +
-     * indication on severity +
-  - affected MantisBT version(s+
-  link to MantisBT issue +
-  - optionally, information about the reporter (if available and they do not refuse to be quoted) +
-  - information about the patch (i.e. where it can be found, commit SHA) +
-  - optionallyattach the patch itself+
  
-Here are a few **examples** of public CVE requests: +Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for further information. 
 + 
 +Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/11351|3]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/11351|3]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]].  [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]]. 
- 
-From experience, the CVE ID usually gets assigned within one business day, but sometimes it takes up to a week. 
  
  
mantisbt/handling_security_problems.txt · Last modified: 2021/07/14 12:08 by dregad
CC Attribution-Noncommercial-Share Alike 4.0 International Driven by DokuWiki