Hi Dmitry! On Thu, Jan 02, 2020 at 10:38:09AM +1100, Dmitry Smirnov wrote: > Closing obsolete bug... > > On Sunday, 22 July 2018 5:11:39 AM AEDT Salvatore Bonaccorso wrote: > > https://civicrm.org/advisory/civi-sa-2018-07-remote-code-execution-in-quick > > form > > > > This is already fixed, so this bug is to track the issue in the BTS. > > No CVEs seem to be assigned for the CIVI advisories. > > Maybe CVE was assigned later? The URL above refers to CVE-2018-1999022.
Yes I guess so, from the bug log I see I did retitle it on 24th of july, I guess it appeared then in the MITRE CVE feed, and someone of the people working on CVE triage then noticed that association and updated the security-tracker. > > Speaking of that, might you convince upstream to request CVE > > identifiers when they plan to release a CiviCRM security advisory? > > I can try but I'm not sure how to make a convincing case... Do you have a > good reasons to recommend or maybe a best practice document I could refer to? The good thing on having a CVE id for the vulnerabilities is helping other vendors to track the issues properly 'cross-vendor' in an unique way. If every upstream would use individual identifiers to track their vulnerabilities, this makes the work of downsteams security teams much harder. Nowdays MITRE has improved a lot on their processes on assigning CVEs, and good filled reports at https://cveform.mitre.org/ get fastly assigned a CVE respectively (this somehow depends though on how good the report is done). I know some upstreams did in past make frustrating experiations, and do not want to try that out again. Does this helps or are you targetting the question to something else which I just missed now? Many thanks for your work! Regards, Salvatore
