Mercurial > hgrepos > Python2 > PyMuPDF
annotate mupdf-source/thirdparty/curl/docs/SECURITY-PROCESS.md @ 2:b50eed0cc0ef upstream
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
The directory name has changed: no version number in the expanded directory now.
| author | Franz Glasner <fzglas.hg@dom66.de> |
|---|---|
| date | Mon, 15 Sep 2025 11:43:07 +0200 |
| parents | |
| children |
| rev | line source |
|---|---|
|
2
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
1 curl security process |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
2 ===================== |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
3 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
4 This document describes how security vulnerabilities should be handled in the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
5 curl project. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
6 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
7 Publishing Information |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
8 ---------------------- |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
9 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
10 All known and public curl or libcurl related vulnerabilities are listed on |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
11 [the curl web site security page](https://curl.haxx.se/docs/security.html). |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
12 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
13 Security vulnerabilities **should not** be entered in the project's public bug |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
14 tracker. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
15 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
16 Vulnerability Handling |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
17 ---------------------- |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
18 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
19 The typical process for handling a new security vulnerability is as follows. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
20 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
21 No information should be made public about a vulnerability until it is |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
22 formally announced at the end of this process. That means, for example that a |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
23 bug tracker entry must NOT be created to track the issue since that will make |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
24 the issue public and it should not be discussed on any of the project's public |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
25 mailing lists. Also messages associated with any commits should not make any |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
26 reference to the security nature of the commit if done prior to the public |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
27 announcement. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
28 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
29 - The person discovering the issue, the reporter, reports the vulnerability on |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
30 [https://hackerone.com/curl](https://hackerone.com/curl). Issues filed there |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
31 reach a handful of selected and trusted people. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
32 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
33 - Messages that do not relate to the reporting or managing of an undisclosed |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
34 security vulnerability in curl or libcurl are ignored and no further action |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
35 is required. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
36 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
37 - A person in the security team responds to the original report to acknowledge |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
38 that a human has seen the report. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
39 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
40 - The security team investigates the report and either rejects it or accepts |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
41 it. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
42 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
43 - If the report is rejected, the team writes to the reporter to explain why. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
44 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
45 - If the report is accepted, the team writes to the reporter to let him/her |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
46 know it is accepted and that they are working on a fix. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
47 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
48 - The security team discusses the problem, works out a fix, considers the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
49 impact of the problem and suggests a release schedule. This discussion |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
50 should involve the reporter as much as possible. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
51 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
52 - The release of the information should be "as soon as possible" and is most |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
53 often synchronized with an upcoming release that contains the fix. If the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
54 reporter, or anyone else involved, thinks the next planned release is too |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
55 far away, then a separate earlier release should be considered. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
56 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
57 - Write a security advisory draft about the problem that explains what the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
58 problem is, its impact, which versions it affects, solutions or workarounds, |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
59 when the release is out and make sure to credit all contributors properly. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
60 Figure out the CWE (Common Weakness Enumeration) number for the flaw. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
61 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
62 - Request a CVE number from |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
63 [HackerOne](https://docs.hackerone.com/programs/cve-requests.html) |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
64 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
65 - Consider informing |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
66 [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
67 to prepare them about the upcoming public security vulnerability |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
68 announcement - attach the advisory draft for information. Note that |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
69 'distros' won't accept an embargo longer than 14 days and they do not care |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
70 for Windows-specific flaws. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
71 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
72 - Update the "security advisory" with the CVE number. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
73 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
74 - The security team commits the fix in a private branch. The commit message |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
75 should ideally contain the CVE number. This fix is usually also distributed |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
76 to the 'distros' mailing list to allow them to use the fix prior to the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
77 public announcement. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
78 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
79 - No more than 48 hours before the release, the private branch is merged into |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
80 the master branch and pushed. Once pushed, the information is accessible to |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
81 the public and the actual release should follow suit immediately afterwards. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
82 The time between the push and the release is used for final tests and |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
83 reviews. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
84 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
85 - The project team creates a release that includes the fix. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
86 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
87 - The project team announces the release and the vulnerability to the world in |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
88 the same manner we always announce releases. It gets sent to the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
89 curl-announce, curl-library and curl-users mailing lists. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
90 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
91 - The security web page on the web site should get the new vulnerability |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
92 mentioned. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
93 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
94 curl-security (at haxx dot se) |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
95 ------------------------------ |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
96 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
97 This is a private mailing list for discussions on and about curl security |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
98 issues. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
99 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
100 Who is on this list? There are a couple of criteria you must meet, and then we |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
101 might ask you to join the list or you can ask to join it. It really isn't very |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
102 formal. We basically only require that you have a long-term presence in the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
103 curl project and you have shown an understanding for the project and its way |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
104 of working. You must've been around for a good while and you should have no |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
105 plans in vanishing in the near future. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
106 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
107 We do not make the list of participants public mostly because it tends to vary |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
108 somewhat over time and a list somewhere will only risk getting outdated. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
109 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
110 Publishing Security Advisories |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
111 ------------------------------ |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
112 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
113 1. Write up the security advisory, using markdown syntax. Use the same |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
114 subtitles as last time to maintain consistency. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
115 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
116 2. Name the advisory file after the allocated CVE id. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
117 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
118 3. Add a line on the top of the array in `curl-www/docs/vuln.pm'. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
119 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
120 4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
121 to the git repo. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
122 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
123 5. Run `make` in your local web checkout and verify that things look fine. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
124 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
125 6. On security advisory release day, push the changes on the curl-www |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
126 repository's remote master branch. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
127 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
128 Bug Bounty |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
129 ---------- |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
130 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
131 See [BUG-BOUNTY](https://curl.haxx.se/docs/bugbounty.html) for details on the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
132 bug bounty program. |