Developer Area/Security Team/CVE Request

From Mahara Wiki

< Developer Area‎ | Security Team
Revision as of 14:00, 25 October 2011 by Francois (talk | contribs) (i)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian:

To: [email protected]
Cc: [email protected]
Subject: CVE Request for security bugs in mahara


I'm  an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to
get a CVE number for each of the following security bugs:
1- XSS in select box validation (unsanitized input can be found in the keys
   of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2

2- CSRF allowing blogs to be deleted (permissions are checked but the
   session key is neither passed nor checked) -- affects only the Mahara 1.2 series
The first issue was discovered by John Doe of Awesome Security Inc. while the second
one was found by the Mahara developers.
I have attached patches for both of these issues and will be preparing
updated packages to be uploaded at the same time as the upstream release.

- xss_mahara10.patch
- xss_mahara11.patch
- xss_mahara12.patch
- csrf_mahara12.patch

Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.