Issuing CVEs for PHP

Hi!

I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That
means that we will be assigning our own CVEs from now on. The process in
broad strokes works like this:

1. We request a block of numbers
2. When we have security bug, we use one of the numbers in the block
3. We create CVE descriptions and commit them to the cvelist repo

Much more detailed documentation on how it is done is here:
https://wiki.php.net/cve

So far I am the only one who is registered to commit CVE descriptions to
MITRE upstream repo, but if somebody wants to do it too, I'm sure it can
be arranged.
Note that you can assign CVE to a bug not yet fixed or published in the
open. Please use this capability responsibly and keep the tracking in
https://wiki.php.net/cve . If you are not familiar with the process or
don't want to bother, just put "needed" as CVE number and it will be
taken care of. Please not enter the bug details into the public repo
before the fix is released.

If you have any questions about this, please ask me.

Stas Malyshev
smalyshev@gmail.com

On Sun, Apr 28, 2019 at 11:51 PM Stanislav Malyshev smalyshev@gmail.com
wrote:

I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That
means that we will be assigning our own CVEs from now on. The process in
broad strokes works like this:

1. We request a block of numbers
2. When we have security bug, we use one of the numbers in the block
3. We create CVE descriptions and commit them to the cvelist repo

Much more detailed documentation on how it is done is here:
https://wiki.php.net/cve

So far I am the only one who is registered to commit CVE descriptions to
MITRE upstream repo, but if somebody wants to do it too, I'm sure it can
be arranged.
Note that you can assign CVE to a bug not yet fixed or published in the
open. Please use this capability responsibly and keep the tracking in
https://wiki.php.net/cve . If you are not familiar with the process or
don't want to bother, just put "needed" as CVE number and it will be
taken care of. Please not enter the bug details into the public repo
before the fix is released.

Thank you, Stas, for arranging this autonomy.

We should probably have at least three MITRE committers, to raise our bus
factor.

Phar's had a rash of secbugs lately, so I can participate as part of the
phar remediation workflow, though I'd be quite happy to defer to anyone
else.

On Mon, Apr 29, 2019 at 6:51 AM Stanislav Malyshev smalyshev@gmail.com
wrote:

Hi!

I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That
means that we will be assigning our own CVEs from now on. The process in
broad strokes works like this:

1. We request a block of numbers
2. When we have security bug, we use one of the numbers in the block
3. We create CVE descriptions and commit them to the cvelist repo

Much more detailed documentation on how it is done is here:
https://wiki.php.net/cve

Me please (:

Hi Stas

Excellent!!

thanks you for taking care of this

best,
Pierre

On Mon, Apr 29, 2019, 10:51 AM Stanislav Malyshev smalyshev@gmail.com
wrote:

Hi!

I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That
means that we will be assigning our own CVEs from now on. The process in
broad strokes works like this:

1. We request a block of numbers
2. When we have security bug, we use one of the numbers in the block
3. We create CVE descriptions and commit them to the cvelist repo

Much more detailed documentation on how it is done is here:
https://wiki.php.net/cve

So far I am the only one who is registered to commit CVE descriptions to
MITRE upstream repo, but if somebody wants to do it too, I'm sure it can
be arranged.
Note that you can assign CVE to a bug not yet fixed or published in the
open. Please use this capability responsibly and keep the tracking in
https://wiki.php.net/cve . If you are not familiar with the process or
don't want to bother, just put "needed" as CVE number and it will be
taken care of. Please not enter the bug details into the public repo
before the fix is released.

If you have any questions about this, please ask me.

Stas Malyshev
smalyshev@gmail.com