mantisbt:handling_security_problems
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
mantisbt:handling_security_problems [2015/01/28 06:47] – Update "Obtain CVE" section following publication of CVE-HOWTO dregad | mantisbt:handling_security_problems [2021/07/14 12:08] (current) – Must be logged in with mantisbt.org account dregad | ||
---|---|---|---|
Line 10: | Line 10: | ||
If you discover a security issue or what you think could be one, please | If you discover a security issue or what you think could be one, please | ||
- | [[http://www.mantisbt.org/ | + | [[https:// |
+ | ((You must be logged-in with your mantisbt.org account to use this link)) | ||
in our bug tracker following the guidelines below. | in our bug tracker following the guidelines below. | ||
Line 48: | Line 49: | ||
* Set //Target Version// to the next stable release (e.g. " | * Set //Target Version// to the next stable release (e.g. " | ||
* Make sure it is indeed **Private** | * Make sure it is indeed **Private** | ||
- | - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer' | + | - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer' |
- Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.)) | - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.)) | ||
- | - The original reporter | + | - The original reporter should test the fix to confirm resolution |
- If possible, at least one other MantisBT developer should review and test the fix as well | - If possible, at least one other MantisBT developer should review and test the fix as well | ||
Line 64: | Line 65: | ||
- [[# | - [[# | ||
- Once a CVE ID has been assigned, the bugtracker issue summary must be updated | - Once a CVE ID has been assigned, the bugtracker issue summary must be updated | ||
- | * Prefix the //Summary// with the CVE ID (see ~~Mantis:16513~~ for example) | + | * Prefix the //Summary// with the CVE ID (see [[mantis> |
* Make the issue **Public** | * Make the issue **Public** | ||
* Set //Fixed in version// | * Set //Fixed in version// | ||
Line 75: | Line 76: | ||
==== Obtaining a CVE ID ==== | ==== Obtaining a CVE ID ==== | ||
- | Refer to Kurt Seifried' | + | Fill the form at https://cveform.mitre.org/, following indications on the page. |
- | The request must include: | + | * //Vendor of the product// and //Product// should be set to **MantisBT** |
+ | * a couple of examples for the //Version// field: | ||
+ | - Single version: 2.1.0 and later; fixed in 2.2.1 | ||
+ | - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 | ||
+ | * //Affected components//: | ||
+ | * // | ||
+ | - the MantisBT issue | ||
+ | - Github commit(s) with patches fixing the issue | ||
- | - description of the issue, including but not limited to | + | Once the form has been submitted, the system will send a confirmation |
- | * type, e.g. XSS, sql injection... | + | |
- | * which area of Mantis are affected | + | |
- | * potential consequences of exploiting the bug | + | |
- | * indication on severity | + | |
- | - affected MantisBT version(s) | + | |
- | | + | |
- | - optionally, information about the reporter (if available and they do not refuse to be quoted) | + | |
- | - information about the patch (i.e. where it can be found, commit SHA) | + | |
- | - optionally, attach | + | |
- | Here are a few **examples** of public CVE requests: | + | Note that There are alternatives to request CVE IDs; refer to Kurt Seifried' |
+ | |||
+ | Here are a few **examples** of public CVE requests, requested via the // | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
Line 96: | Line 97: | ||
[[http:// | [[http:// | ||
- | From experience, | + | ==== Reference |
+ | |||
+ | Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related | ||
+ | * MantisBT' | ||
+ | * in commit messages | ||
+ | * on GitHub pull requests | ||
+ | * in mailing lists discussions | ||
+ | * in announcements (e.g. release notes, blog post, twitter...) | ||
+ | * etc | ||
mantisbt/handling_security_problems.1422445633.txt.gz · Last modified: 2015/02/13 18:08 (external edit)