Discussion:
[mantisbt-dev] Tracking of security issues having CVEs
Damien Regad
2015-01-23 16:13:51 UTC
Permalink
Hello again,

I'd like your input in terms of handling / tracking of important, publicly
announced security issues (i.e having a CVE) that affect multiple versions.

In the past, we only had a single issue in our tracker, with target/fixed in
version set to the oldest version (i.e. 1.2.x), and it was implied that the
fix was also implemented in later releases.

This was not a problem before an "official" release for 1.3 was published,
but now that we have the beta out, I'm wondering if we should not create
"dummy" issues as clones/duplicates of the "main" ones for 1.2, but with
target/fixed version set to 1.3.x. This way the CVE IDs would appear on the
change log / roadmap.

Thoughts ?
Roland Becker
2015-01-23 20:35:32 UTC
Permalink
Seems this approach has been used in the past

https://www.mantisbt.org/bugs/view.php?id=6724
https://www.mantisbt.org/bugs/view.php?id=7743

https://www.mantisbt.org/bugs/view.php?id=8153
https://www.mantisbt.org/bugs/view.php?id=8154
Post by Damien Regad
Hello again,
I'd like your input in terms of handling / tracking of important, publicly
announced security issues (i.e having a CVE) that affect multiple versions.
In the past, we only had a single issue in our tracker, with target/fixed in
version set to the oldest version (i.e. 1.2.x), and it was implied that the
fix was also implemented in later releases.
This was not a problem before an "official" release for 1.3 was published,
but now that we have the beta out, I'm wondering if we should not create
"dummy" issues as clones/duplicates of the "main" ones for 1.2, but with
target/fixed version set to 1.3.x. This way the CVE IDs would appear on the
change log / roadmap.
Thoughts ?
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
Victor Boctor
2015-01-24 03:05:29 UTC
Permalink
Sounds good to me. We should just make sure that the title for both bugs is readable not just a reference to the CVE #.
Post by Roland Becker
Seems this approach has been used in the past
https://www.mantisbt.org/bugs/view.php?id=6724
https://www.mantisbt.org/bugs/view.php?id=7743
https://www.mantisbt.org/bugs/view.php?id=8153
https://www.mantisbt.org/bugs/view.php?id=8154
Post by Damien Regad
Hello again,
I'd like your input in terms of handling / tracking of important, publicly
announced security issues (i.e having a CVE) that affect multiple versions.
In the past, we only had a single issue in our tracker, with target/fixed in
version set to the oldest version (i.e. 1.2.x), and it was implied that the
fix was also implemented in later releases.
This was not a problem before an "official" release for 1.3 was published,
but now that we have the beta out, I'm wondering if we should not create
"dummy" issues as clones/duplicates of the "main" ones for 1.2, but with
target/fixed version set to 1.3.x. This way the CVE IDs would appear on the
change log / roadmap.
Thoughts ?
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
Loading...