Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105551
Return-Path: <pierre.php@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66759 invoked from network); 1 May 2019 22:22:24 -0000
Received: from unknown (HELO mail-wr1-f49.google.com) (209.85.221.49)
  by pb1.pair.com with SMTP; 1 May 2019 22:22:24 -0000
Received: by mail-wr1-f49.google.com with SMTP id f7so17209311wrs.2
        for <internals@lists.php.net>; Wed, 01 May 2019 12:24:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=jnHu9p5aJalcS1InmrDrjatMAEuRvJAUTNrgDpAr5us=;
        b=NRXWk+jFx3/oemtA2IVDj6BRcZG7QEnT+Yn9l2Lp76oibAf6Q4M1RyDihS3y6+MZkK
         omvoGBI7H9EEiLzzmeCQeK90Y2vhXHk6PijttpjB5DrllOcfKyoYlULrS3aZDMHsayvx
         VbrR7rUUoKQgdppRTQaC+QLxdXxSqlrGDWSXkd7caBbF4jWUNX3U7EWgcz2M8qg5m/1b
         hJ3w3CxssQ3rtC2w3wKkr7eYv4z934ui0Ydh/QXijrbHgeT2jGC9fES/BE/CYDBIbNAw
         PN0hATFLsOfPq237R4xZzilTn8SO5mJIhiyvIsnc+ojTTBKIkYQcSYkOvM6LPWwePWaH
         F5rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=jnHu9p5aJalcS1InmrDrjatMAEuRvJAUTNrgDpAr5us=;
        b=K/mSKEUsdM2Oz9iU6KhKGHP6r1BWp50ld35KszBuoNEahb3wIlD6evgscvZUu+MWBs
         buXYTnmb2TSgpHK68FwLp3Y6/FtylEl/gl6A6UhxXRpH6fZKCuXgZCgxBt7gjx1LLqVK
         NiPKqe/GIbxV4bdFWtqvb+bLIQ6MxFFZr8nIgyyK2JeStfda4N3S6iMXnrHKvDjKQNyt
         zBkz4oNBesx1cteXDW4IU5LBY7uTM0yCz9lNejduCj47Er/NKck8te327hHj6ThaQMB+
         sfc57nqMVB+4hZJaWJ++dsUuI8L1x6h6DuCB7kZ6yKihmyrwLPwjkMG8qfDElDaIr8x/
         zIRQ==
X-Gm-Message-State: APjAAAXAbKDHve2deT/pPNbrJ5Pu91OryjhY2UB6lgzfWsjJDR7HM3eJ
	+dbb1sc+LXMaQqr4ekIo8a+vAJ+Tis82VA9ncbg=
X-Google-Smtp-Source: APXvYqyHR5Vj7iNhpZv7sTHU9f4uIGDwyrPj3wQfyFCXUr2dtIuvERCMV2z3N7I/J9IwlmtbJmfPlUiuCjSzF3fyhT8=
X-Received: by 2002:adf:e2c3:: with SMTP id d3mr41735041wrj.189.1556738691633;
 Wed, 01 May 2019 12:24:51 -0700 (PDT)
MIME-Version: 1.0
References: <b6e24bc1-1494-e8f6-2664-67c09931ea23@gmail.com>
In-Reply-To: <b6e24bc1-1494-e8f6-2664-67c09931ea23@gmail.com>
Date: Thu, 2 May 2019 02:24:39 +0700
Message-ID: <CAEZPtU6EFDENTkbVosvE7=xMc70jvEMG60HNGCvuahAgdjo4Tw@mail.gmail.com>
To: Stas Malyshev <smalyshev@gmail.com>
Cc: PHP internals <internals@lists.php.net>, security@php.net
Content-Type: multipart/alternative; boundary="000000000000b916d50587d8783f"
Subject: Re: Issuing CVEs for PHP
From: pierre.php@gmail.com (Pierre Joye)

--000000000000b916d50587d8783f
Content-Type: text/plain; charset="UTF-8"

Hi Stas

Excellent!!

thanks you for taking care of this

best,
Pierre

On Mon, Apr 29, 2019, 10:51 AM Stanislav Malyshev <smalyshev@gmail.com>
wrote:

> Hi!
>
> I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That
> means that we will be assigning our own CVEs from now on. The process in
> broad strokes works like this:
>
> 1. We request a block of numbers
> 2. When we have security bug, we use one of the numbers in the block
> 3. We create CVE descriptions and commit them to the cvelist repo
>
> Much more detailed documentation on how it is done is here:
> https://wiki.php.net/cve
>
> So far I am the only one who is registered to commit CVE descriptions to
> MITRE upstream repo, but if somebody wants to do it too, I'm sure it can
> be arranged.
> Note that you can assign CVE to a bug not yet fixed or published in the
> open. Please use this capability responsibly and keep the tracking in
> https://wiki.php.net/cve . If you are not familiar with the process or
> don't want to bother, just put "needed" as CVE number and it will be
> taken care of. Please not enter the bug details into the public repo
> before the fix is released.
>
> If you have any questions about this, please ask me.
> --
> Stas Malyshev
> smalyshev@gmail.com
>

--000000000000b916d50587d8783f--