From 4fac2a92db4d41a481c8e899bb24c378f801ea54 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Wed, 10 Jun 2026 15:56:00 -0400 Subject: [PATCH] Explicit sub-steps for assessing -S and EOL For the step where we assess which product versions/branches are vulnerable to the flaw, add explicit subordinate steps for assessing Special Subscriber -S Preview edition, and end-of-life versions that are still received paid fixes. While we have GitLab labels to indicate affected versions, there is no satisfactory mechanism in place to indicate that assessment of all versions is complete, and thus anything not labeled as affected can be considered immune. Explicit checklist steps will allow others to see when assessment is complete. Per the following discussions: https://zulip.isc.org/#narrow/channel/4-bind9/topic/Unaffected.20labels.20for.20vulnerability.20issues/near/25643 https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE.20checklist.20updates/near/26307 --- .gitlab/issue_templates/Internal_use_only-CVE.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index d4c1391155..0a3960ceba 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -43,7 +43,9 @@ confidential! - [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier, and update the GitLab Issue with it - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Determine CVSS score and CWE category, and update the GitLab Issue with them - - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition and supported EOL versions) + - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine product branches/versions affected + - [ ] **(SwEng)** Including Subscription Edition(s) + - [ ] **(SwEng)** Including EOL version(s) receiving paid support - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - [ ] [:grey_question:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it