Developer Area/Security Team/CVE Request
From Mahara Wiki
< Developer Area | Security TeamRevision as of 14:00, 25 October 2011 by Francois (i)
Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian:
To: [email protected] Cc: [email protected] Subject: CVE Request for security bugs in mahara Hi, I'm an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to get a CVE number for each of the following security bugs:
1- XSS in select box validation (unsanitized input can be found in the keys of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2 2- CSRF allowing blogs to be deleted (permissions are checked but the session key is neither passed nor checked) -- affects only the Mahara 1.2 series
The first issue was discovered by John Doe of Awesome Security Inc. while the second one was found by the Mahara developers.
I have attached patches for both of these issues and will be preparing updated packages to be uploaded at the same time as the upstream release.
Attachments: - xss_mahara10.patch - xss_mahara11.patch - xss_mahara12.patch - csrf_mahara12.patch
Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.