124
edits
Security/Firefox/Security Bug Life Cycle/Security Advisories: Difference between revisions
Jump to navigation
Jump to search
Security/Firefox/Security Bug Life Cycle/Security Advisories (view source)
Revision as of 15:06, 7 April 2023
, 7 April 2023→Assign CVEs
| Line 69: | Line 69: | ||
Typically done a day or two before the release, assign CVEs to the bugs in bugzilla, and in the yml file. This can be automated with this script: https://github.com/tomrittervg/secadv/blob/master/cve_assignment_script.txt | Typically done a day or two before the release, assign CVEs to the bugs in bugzilla, and in the yml file. This can be automated with this script: https://github.com/tomrittervg/secadv/blob/master/cve_assignment_script.txt | ||
A noteworthy item is that issues that already have had a CVE assigned - for example because it's an upstream bug - should get a '''feed: false''' in the advisory, after reporter. | A noteworthy item is that '''issues that already have had a CVE assigned''' - for example because it's an upstream bug - should get a '''feed: false''' in the advisory, after reporter. This is very important. It is common (usually several times a year) for us to request Google to assign a CVE for an issue in an upstream library. The Googler to contact for this is Adrian Taylor, and Tom Ritter (among others) can put you in touch. | ||
A CVE ID from Mitre is assigned from [https://docs.google.com/spreadsheets/d/14rI7jdL23HHJ5VOpVJhV_zc_bp2InrXlKD_vap9oec0/edit our CVE pool] of numbers as an “alias” in Bugzilla and the CVE Pool sheet is updated to include the bug number and title on the listing for the assigned CVE ID. | A CVE ID from Mitre is assigned from [https://docs.google.com/spreadsheets/d/14rI7jdL23HHJ5VOpVJhV_zc_bp2InrXlKD_vap9oec0/edit our CVE pool] of numbers as an “alias” in Bugzilla and the CVE Pool sheet is updated to include the bug number and title on the listing for the assigned CVE ID. | ||
| Line 75: | Line 75: | ||
The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.) | The CVE ID is unique per bug except for the internal roll-up advisories, which use one CVE ID for a list of bugs. (The CVE assignment process can be complicated because Mitre imposes many rules on CVE assignment and requires communication back in specified data formats when CVEs are assigned. Failure to follow this process can result in Mitre refusing to hand out additional CVE IDs for use.) | ||
==== Oh no, I don't have enough CVEs! ==== | ==== Oh no, I don't have enough CVEs! or Oh no, Google never got back to me! ==== | ||
That's alright. Assign the issue an id of MFSA-TMP-YEAR-#### where # is a unique incrementing number. Everything will work fine. Later when we have the CVE, go back and assign it. | That's alright. Assign the issue an id of MFSA-TMP-YEAR-#### where # is a unique incrementing number (like MFSA-TMP-2023-001). Everything will work fine. Later when we have the CVE, go back and assign it. It's hard to keep track of TMP numbers, but this is uncommon. A command like <code>git grep "MFSA-TMP" $(git rev-list --all -- announce) -- announce/</code> will show you any uses, even if they've been correct in the file. | ||
[https://github.com/mozilla/foundation-security-advisories/commit/3114d01de2f27cdb606d8d07603c2362515104f1 Here's an example of what it looks like.] | [https://github.com/mozilla/foundation-security-advisories/commit/3114d01de2f27cdb606d8d07603c2362515104f1 Here's an example of what it looks like.] | ||
n.b. While that example used MFSA-YEAR-####, that format is actually used for the advisories themselves (so MFSA-2020-0001 was accidentally used to refer both to an individual issue pending a CVE and to all advisories for Firefox 71.) So | n.b. While that example used MFSA-YEAR-####, that format is actually used for the advisories themselves (so MFSA-2020-0001 was accidentally used to refer both to an individual issue pending a CVE and to all advisories for Firefox 71.) So for now on we use the MFSA-TMP prefix to distinguish. We also previously used the MFSA-YEAR-# format for individual issues from 2005ish - 2016. | ||
=== Get review === | === Get review === | ||