Difference between revisions of "Developer Area/Security Team/CVE Request"
From Mahara Wiki
< Developer Area | Security Team
(i) |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian: | Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian: | ||
| − | To: security@debian. | + | To: security@debian.org |
Subject: CVE Request for security bugs in mahara | Subject: CVE Request for security bugs in mahara | ||
| Line 9: | Line 9: | ||
I'm an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to | I'm an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to | ||
get a CVE number for each of the following security bugs: | get a CVE number for each of the following security bugs: | ||
| − | + | ||
1- XSS in select box validation (unsanitized input can be found in the keys | 1- XSS in select box validation (unsanitized input can be found in the keys | ||
of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2 | of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2 | ||
| Line 15: | Line 15: | ||
2- CSRF allowing blogs to be deleted (permissions are checked but the | 2- CSRF allowing blogs to be deleted (permissions are checked but the | ||
session key is neither passed nor checked) -- affects only the Mahara 1.2 series | session key is neither passed nor checked) -- affects only the Mahara 1.2 series | ||
| − | + | ||
The first issue was discovered by John Doe of Awesome Security Inc. while the second | The first issue was discovered by John Doe of Awesome Security Inc. while the second | ||
one was found by the Mahara developers. | one was found by the Mahara developers. | ||
| − | + | ||
I have attached patches for both of these issues and will be preparing | I have attached patches for both of these issues and will be preparing | ||
updated packages to be uploaded at the same time as the upstream release. | updated packages to be uploaded at the same time as the upstream release. | ||
| − | + | ||
Cheers, | Cheers, | ||
DeveloperName | DeveloperName | ||
| − | + | ||
Attachments: | Attachments: | ||
- xss_mahara10.patch | - xss_mahara10.patch | ||
| Line 32: | Line 32: | ||
- csrf_mahara12.patch | - csrf_mahara12.patch | ||
| − | Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later. | + | Note that this information will end up on the CVE database and will get copied all over the place, so it's worth '''triple-checking and testing everything''' because it's next to impossible to fix mistakes later. |
Latest revision as of 15:02, 11 March 2013
Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian:
To: [email protected] Cc: [email protected] Subject: CVE Request for security bugs in mahara Hi, I'm an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to get a CVE number for each of the following security bugs: 1- XSS in select box validation (unsanitized input can be found in the keys of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2 2- CSRF allowing blogs to be deleted (permissions are checked but the session key is neither passed nor checked) -- affects only the Mahara 1.2 series The first issue was discovered by John Doe of Awesome Security Inc. while the second one was found by the Mahara developers. I have attached patches for both of these issues and will be preparing updated packages to be uploaded at the same time as the upstream release. Cheers, DeveloperName Attachments: - xss_mahara10.patch - xss_mahara11.patch - xss_mahara12.patch - csrf_mahara12.patch
Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.