Developer Area/Security Team/CVE Request

From Mahara Wiki
Jump to: navigation, search

Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian:

To: security@debian.org
Cc: security@mahara.org
Subject: CVE Request for security bugs in mahara

Hi,

I'm  an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to
get a CVE number for each of the following security bugs:

1- XSS in select box validation (unsanitized input can be found in the keys
   of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2

2- CSRF allowing blogs to be deleted (permissions are checked but the
   session key is neither passed nor checked) -- affects only the Mahara 1.2 series

The first issue was discovered by John Doe of Awesome Security Inc. while the second
one was found by the Mahara developers.

I have attached patches for both of these issues and will be preparing
updated packages to be uploaded at the same time as the upstream release.

Cheers,

DeveloperName

Attachments:
- xss_mahara10.patch
- xss_mahara11.patch
- xss_mahara12.patch
- csrf_mahara12.patch

Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.