User Tools

Site Tools


mantisbt:handling_security_problems

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
mantisbt:handling_security_problems [2015/02/13 18:08]
dregad Use InterWiki syntax for MantisBT bug links
mantisbt:handling_security_problems [2017/03/10 07:34] (current)
dregad Add "Reference the CVE" section
Line 48: Line 48:
     * Set //Target Version// to the next stable release (e.g. "1.2.x")     * Set //Target Version// to the next stable release (e.g. "1.2.x")
     * Make sure it is indeed **Private**     * Make sure it is indeed **Private**
-  - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer's mailing list to avoid early disclosure.)) (use the //Send Reminder// feature)+  - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer's mailing list to avoid early disclosure.)) (use //@mentions// or the //Send Reminder// feature)
   - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.))   - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.))
-  - The original reporter as well should test the fix to confirm resolution+  - The original reporter should test the fix to confirm resolution
   - If possible, at least one other MantisBT developer should review and test the fix as well   - If possible, at least one other MantisBT developer should review and test the fix as well
  
Line 75: Line 75:
 ==== Obtaining a CVE ID ==== ==== Obtaining a CVE ID ====
  
-Refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for the process to request a CVE ID.+Fill the form at https://cveform.mitre.org/, following indications on the page.
  
-The request must include:+  * //Vendor of the product// and //Product// should be set to **MantisBT** 
 +  * a couple of examples for the //Version// field 
 +    - Single version: 2.1.0 and later; fixed in 2.2.1 
 +    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 
 +  * //Affected components//: the MantisBT page(s) where the problem exists 
 +  * //References// should include (if public) links to 
 +    - the MantisBT issue  
 +    - Github commit(s) with patches fixing the issue
  
-  - description of the issue, including but not limited to +Once the form has been submittedthe system will send a confirmation e-mail with a request number; after reviewMITRE'CVE assignment team will send another e-mail with the CVE IDFrom experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSSsql injection... +
-     * which area of Mantis are affected +
-     * potential consequences of exploiting the bug +
-     * indication on severity +
-  - affected MantisBT version(s+
-  link to MantisBT issue +
-  - optionally, information about the reporter (if available and they do not refuse to be quoted) +
-  - information about the patch (i.e. where it can be found, commit SHA) +
-  - optionallyattach the patch itself+
  
-Here are a few **examples** of public CVE requests: +Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for further information. 
 + 
 +Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]], 
Line 96: Line 96:
 [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]].  [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]]. 
  
-From experience, the CVE ID usually gets assigned within one business daybut sometimes it takes up to a week.+==== Reference the CVE ID ==== 
 + 
 +Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related to the security issue
  
 +  * MantisBT's issue tracker (**Mandatory**): prefix the issue's summary with ''CVE-YYYY-XXXX - ''
 +  * in commit messages
 +  * on GitHub pull requests
 +  * in mailing lists discussions
 +  * in announcements (e.g. release notes, blog post, twitter...)
 +  * etc
  
mantisbt/handling_security_problems.1423868905.txt.gz · Last modified: 2015/02/13 18:08 by dregad