Wiki

User Tools

  • Logged in as: anonymous (anonymous)
  • Log Out

Site Tools

Trace:
mantisbt:handling_security_problems

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
mantisbt:handling_security_problems [2017/03/10 04:39] – [Once the issue has been logged] reference @mentions dregadmantisbt:handling_security_problems [2017/03/10 07:34] – Add "Reference the CVE" section dregad
Line 75: Line 75:
 ==== Obtaining a CVE ID ==== ==== Obtaining a CVE ID ====
  
-Refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for the process to request a CVE ID.+Fill the form at https://cveform.mitre.org/, following indications on the page.
  
-The request must include:+  * //Vendor of the product// and //Product// should be set to **MantisBT** 
 +  * a couple of examples for the //Version// field 
 +    - Single version: 2.1.0 and later; fixed in 2.2.1 
 +    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 
 +  * //Affected components//: the MantisBT page(s) where the problem exists 
 +  * //References// should include (if public) links to 
 +    - the MantisBT issue  
 +    - Github commit(s) with patches fixing the issue
  
-  - description of the issue, including but not limited to +Once the form has been submittedthe system will send a confirmation e-mail with a request number; after reviewMITRE'CVE assignment team will send another e-mail with the CVE IDFrom experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSSsql injection... +
-     * which area of Mantis are affected +
-     * potential consequences of exploiting the bug +
-     * indication on severity +
-  - affected MantisBT version(s+
-  link to MantisBT issue +
-  - optionally, information about the reporter (if available and they do not refuse to be quoted) +
-  - information about the patch (i.e. where it can be found, commit SHA) +
-  - optionallyattach the patch itself+
  
-Here are a few **examples** of public CVE requests: +Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for further information. 
 + 
 +Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]], 
Line 96: Line 96:
 [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]].  [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]]. 
  
-From experience, the CVE ID usually gets assigned within one business daybut sometimes it takes up to a week.+==== Reference the CVE ID ==== 
 + 
 +Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related to the security issue
  
 +  * MantisBT's issue tracker (**Mandatory**): prefix the issue's summary with ''CVE-YYYY-XXXX - ''
 +  * in commit messages
 +  * on GitHub pull requests
 +  * in mailing lists discussions
 +  * in announcements (e.g. release notes, blog post, twitter...)
 +  * etc
  
mantisbt/handling_security_problems.txt · Last modified: 2021/07/14 12:08 by dregad
CC Attribution-Noncommercial-Share Alike 4.0 International Driven by DokuWiki