Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105495
Return-Path: <bishop.bettini@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64884 invoked from network); 29 Apr 2019 09:46:24 -0000
Received: from unknown (HELO mail-vs1-f66.google.com) (209.85.217.66)
  by pb1.pair.com with SMTP; 29 Apr 2019 09:46:24 -0000
Received: by mail-vs1-f66.google.com with SMTP id n17so5296499vsr.1
        for <internals@lists.php.net>; Sun, 28 Apr 2019 23:48:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=GERGvr99Ds82UyAcTyf/uNyNpB5+Z4Hg2eq1MaX4Z3A=;
        b=GjvacrLG9rCxPM0muH2alyHZ37eZGFxFflllATc8/kSgZ8wP6vX5wqWFKEC+orIZdT
         /u84hMvckobkx3eFAi28yaxw6Gvt8oQJruRxMrjlG4TwY3eaO5JlrEaafmSnULCVIwcq
         7lTg7eUqKcklC/Ba/Ps214pbMVHc+qSkveJBgb7vmJklHK4fWNS4MOTnQMyYrs3zDxAW
         KQlAlqmxDlEhSXfpCP/rTsyZ3cju6xUXxq7FqguIX+xVb+XtRrsUdZQ7HDqinr7uVPlQ
         KFG1RxZVMJ47pFkQzt9fQo7E1kZTkp1vSzs33fyRWN5v4epfPsaL1HzxMG+YaULtoqOa
         tbOA==
X-Gm-Message-State: APjAAAUWwfRmq66BggbAyvsT/FNpeVflZxNgsQRaBAt0ROCyVQc8rby7
	uTR+7QtIp+n7aA9hkCcpVuBp1nwoAnBoSAAZDfc=
X-Google-Smtp-Source: APXvYqyzNw0nxz2C6j/QFMf8id/6CPaP3fkj9+zs3nVBwm2VgIzv+iDgt1SYvMoRKvMrOhYrzXQ1GiD2zCEM4MysH0w=
X-Received: by 2002:a67:87d3:: with SMTP id j202mr3450162vsd.21.1556520493989;
 Sun, 28 Apr 2019 23:48:13 -0700 (PDT)
MIME-Version: 1.0
References: <b6e24bc1-1494-e8f6-2664-67c09931ea23@gmail.com>
In-Reply-To: <b6e24bc1-1494-e8f6-2664-67c09931ea23@gmail.com>
Reply-To: bishop@php.net
Date: Mon, 29 Apr 2019 02:47:48 -0400
Message-ID: <CAEYWF=6XhmYnWd04kA5O_m9LJxnfADUMcX89VPMs+LTJiWwwUQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: PHP Internals <internals@lists.php.net>, "security@php.net" <security@php.net>
Content-Type: multipart/alternative; boundary="0000000000002148ac0587a5abb1"
Subject: Re: [PHP-DEV] Issuing CVEs for PHP
From: bishop@php.net (Bishop Bettini)

--0000000000002148ac0587a5abb1
Content-Type: text/plain; charset="UTF-8"

On Sun, Apr 28, 2019 at 11:51 PM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That
> means that we will be assigning our own CVEs from now on. The process in
> broad strokes works like this:
>
> 1. We request a block of numbers
> 2. When we have security bug, we use one of the numbers in the block
> 3. We create CVE descriptions and commit them to the cvelist repo
>
> Much more detailed documentation on how it is done is here:
> https://wiki.php.net/cve
>
> So far I am the only one who is registered to commit CVE descriptions to
> MITRE upstream repo, but if somebody wants to do it too, I'm sure it can
> be arranged.
> Note that you can assign CVE to a bug not yet fixed or published in the
> open. Please use this capability responsibly and keep the tracking in
> https://wiki.php.net/cve . If you are not familiar with the process or
> don't want to bother, just put "needed" as CVE number and it will be
> taken care of. Please not enter the bug details into the public repo
> before the fix is released.
>

Thank you, Stas, for arranging this autonomy.

We should probably have at least three MITRE committers, to raise our bus
factor.

Phar's had a rash of secbugs lately, so I can participate as part of the
phar remediation workflow, though I'd be quite happy to defer to anyone
else.

--0000000000002148ac0587a5abb1--