Developer Area/Security Team/CVE Request
Here is a sample email showing what kinds of things that need to be included when requesting CVE numbers from Debian:
To: firstname.lastname@example.org Cc: email@example.com Subject: CVE Request for security bugs in mahara Hi, I'm an upstream developer for Mahara (packaged in Debian as "mahara") and we'd like to get a CVE number for each of the following security bugs: 1- XSS in select box validation (unsanitized input can be found in the keys of the Pieforms drop downs) -- affects Mahara 1.0, 1.1 and 1.2 2- CSRF allowing blogs to be deleted (permissions are checked but the session key is neither passed nor checked) -- affects only the Mahara 1.2 series The first issue was discovered by John Doe of Awesome Security Inc. while the second one was found by the Mahara developers. I have attached patches for both of these issues and will be preparing updated packages to be uploaded at the same time as the upstream release. Cheers, DeveloperName Attachments: - xss_mahara10.patch - xss_mahara11.patch - xss_mahara12.patch - csrf_mahara12.patch
Note that this information will end up on the CVE database and will get copied all over the place, so it's worth triple-checking and testing everything because it's next to impossible to fix mistakes later.