Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE assignment for #8917 #8951

Closed
aviv320i opened this issue Sep 4, 2019 · 8 comments
Assignees

Comments

@aviv320i
Copy link

@aviv320i aviv320i commented Sep 4, 2019

Hey,
PR #8917 seems to solve a critical security issue. Is a CVE going to be assigned to it?

@aviv320i aviv320i changed the title Security report CVE assignment for #8917 Sep 4, 2019
@reasonerjt reasonerjt self-assigned this Sep 5, 2019
@reasonerjt

This comment has been minimized.

Copy link
Contributor

@reasonerjt reasonerjt commented Sep 5, 2019

@aviv320i good point.
We haven't done this before but I think the answer is yes, I'll figure out the process and follow up.

@aviv320i

This comment has been minimized.

Copy link
Author

@aviv320i aviv320i commented Sep 8, 2019

Hey @reasonerjt ,
I'm very familiar with the process so I reserved a CVE for the issue and gave you the credit for it.
I think it's super important the you'll release a new version of the product as fast as possible because this issue critical and is visible for everyone.
I will send you the CVE number as soon as mitre will confirm my request and publish some information about the issue.
Please take this matter seriously. If there is anything I can do to help let me know.

@reasonerjt

This comment has been minimized.

Copy link
Contributor

@reasonerjt reasonerjt commented Sep 8, 2019

@aviv320i Your help is highly appreciated!

And yes we'll release the patch releases in the next couple of days.
BTW we are drafting a security process, once there's PR your comments are welcome!

BTW did you do it via DWF?
https://github.com/distributedweaknessfiling/DWF-Documentation

@aviv320i

This comment has been minimized.

Copy link
Author

@aviv320i aviv320i commented Sep 8, 2019

Hey,
Great, that's awesome.
And no. I've contact the organization that's responsible for assigning CVE's - which is Mitre.
BYW they responded to my request and assign "CVE-2019-16097" for the issue so you can use this number to address the vulnerability.
The CVE is not public yet but will be once you'll publish a new release.

@reasonerjt

This comment has been minimized.

Copy link
Contributor

@reasonerjt reasonerjt commented Sep 10, 2019

@aviv320i
Thanks a lot!
May I know if it's possible to update the description? For example the fix will be backported to 1.8.x and 1.7.x
Additionally, I'm curious about the score of this CVE, did you make proposal about the score or someone in NVD reviewed it and made decision?

@aviv320i

This comment has been minimized.

Copy link
Author

@aviv320i aviv320i commented Sep 10, 2019

Happy to help, once the fixes will be public I will send them a mail in order to change the description.
I'm not involved with the scoring process, NVD determine the CVE score.
They have their own calculator and they determine the score according to it.
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

@aviv320i

This comment has been minimized.

Copy link
Author

@aviv320i aviv320i commented Sep 19, 2019

Great everything looks good.
Sending an update to Mitre.

@aviv320i aviv320i closed this Sep 19, 2019
@reasonerjt

This comment has been minimized.

Copy link
Contributor

@reasonerjt reasonerjt commented Sep 19, 2019

@aviv320 thanks!
BTW, before seeing your latest update, I also submitted a update request (id: CVE Request 761258)

Hope it won't confuse Mitre.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.