upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 11:49:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

chg: nil: CVE checklist updates

Browse source 
Merge branch 'cve-checklist-update' into 'main'

See merge request isc-projects/bind9!12179
This commit is contained in:
Petr Špaček 2026-06-05 11:41:29 +00:00
commit ce0fabb032
1 changed files with 53 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

106
.gitlab/issue_templates/Internal_use_only-CVE.md
View file

@ -6,85 +6,85 @@ if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confidential!
-->
| Quick Links | :link: |
| ------------------------ | ----------------------------------------------- |
| Incident Manager: | @user |
| Deputy Incident Manager: | @user |
| Public Disclosure Date: | YYYY-MM-DD |
| CVSS Score: | [0.0][cvss_score_url] |
| CWE: | [CWE-NNN][cwe_category_url] |
| Earliest Notification: | support-team/earliest-notification-drafting!NNN |
| Security Advisory: | isc-private/printing-press!NNN |
| Mattermost Channel: | [CVE-YYYY-NNNN][mattermost_url] |
| Support Ticket: | [URL] |
| Release Checklist: | #NNNN |
| How to? | Click on [:grey_question:][checklist_explanations] for each step |
| ------------------------ | ---------------------------------------------------------------------- |
| Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] |
| Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] |
| Public Disclosure Date: | YYYY-MM-DD |
| CVSS Score: | [0.0][cvss_score_url] |
| CWE: | [CWE-NNN][cwe_category_url] |
| Earliest Notification: | support-team/earliest-notification-drafting!NNN |
| Security Advisory: | isc-private/printing-press!NNN |
| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] |
| Support Ticket: | [URL] |
| Release Checklist: | #NNNN |
[cvss_score_url]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1
[cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html
[mattermost_url]: https://mattermost.isc.org/isc/channels/cve-YYYY-NNNN
[zulip_url]: https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE-...
:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.**
:question: Not sure about something? Ask!
[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations
### Before Code Freeze
- [ ] [:link:][step_deputy] **(IM)** Pick a Deputy Incident Manager
- [ ] [:link:][step_respond] **(IM)** Respond to the bug reporter
- [ ] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
- [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary)
- [ ] [:link:][step_assign_cve_id] **(IM)** Assign a CVE identifier
- [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category
- [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
- [ ] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist
- [ ] [:link:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text
- [ ] [:link:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers
- [ ] [:link:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it
- [ ] [:link:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem
- [ ] [:link:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready
- [ ] [:link:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem
- [ ] [:link:][step_fix] **(SwEng)** Prepare a fix and push it as a separate commit to the merge request with the reproducer
- [ ] [:link:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions
- [ ] [:link:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix
- [ ] [:link:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
- [ ] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory
- [ ] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- [ ] [:link:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon
- [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter
- [ ] [:grey_question:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
- [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary)
- [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier
- [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category
- [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition)
- [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text
- [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers
- [ ] [:grey_question:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it
- [ ] [:grey_question:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem
- [ ] [:grey_question:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready
- [ ] [:grey_question:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem
- [ ] [:grey_question:][step_fix] **(SwEng)** Prepare a fix and push it as a separate commit to the merge request with the reproducer
- [ ] [:grey_question:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions
- [ ] [:grey_question:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix
- [ ] [:grey_question:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
- [ ] [:grey_question:][step_merge_fixes] **(SwEng)** Merge the CVE fixes and reproducer when they get approved
- [ ] [:grey_question:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory
- [ ] [:grey_question:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- [ ] [:grey_question:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon
### Earlier Than T-5
- [ ] [:link:][step_merge_fixes] **(QA)** Merge the CVE fixes in CVE identifier order
- [ ] [:link:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist)
- [ ] [:grey_question:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist)
### At T-5
- [ ] [:link:][step_evn_links] **(Marketing)** (BIND 9 only) Update the BIND -S [ticket](https://techsupport.isc.org/Ticket/Display.html?id=23796) in the support portal with download links to the new versions
- [ ] [:link:][step_evn_send_t_5] **(Support)** Notify eligible customers by adding a ticket to the 5-Day queue in RT with the text of the advisory (earliest, and T-5)
- [ ] [:link:][step_preannouncement] **(Marketing)** Send a pre-announcement email to the appropriate *-announce* mailing list to alert users that the upcoming release will include security fixes
- [ ] [:grey_question:][step_evn_links] **(Marketing)** (BIND 9 only) Update the BIND -S [ticket](https://techsupport.isc.org/Ticket/Display.html?id=23796) in the support portal with download links to the new versions
- [ ] [:grey_question:][step_evn_send_t_5] **(Support)** Notify eligible customers by adding a ticket to the 5-Day queue in RT with the text of the advisory (earliest, and T-5)
- [ ] [:grey_question:][step_preannouncement] **(Marketing)** Send a pre-announcement email to the appropriate *-announce* mailing list to alert users that the upcoming release will include security fixes
### At T-3
- [ ] [:link:][step_evn_send_t_3] **(Support)** Notify eligible customers by adding a ticket to the 3-Day queue in RT with the text of the advisory (T-3)
- [ ] [:grey_question:][step_evn_send_t_3] **(Support)** Notify eligible customers by adding a ticket to the 3-Day queue in RT with the text of the advisory (T-3)
### At T-1
- [ ] [:link:][step_packager_emails] **(First IM)** Send notifications to OS packagers
- [ ] [:grey_question:][step_packager_emails] **(First IM)** Send notifications to OS packagers
### On the Day of Public Disclosure
- [ ] [:link:][step_clearance] **(IM)** Grant QA & Marketing clearance to proceed with public release
- [ ] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
- [ ] [:link:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press
- [ ] [:link:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base
- [ ] [:link:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
- [ ] [:link:][step_notifications] **(First IM)** Send notification emails to third parties
- [ ] [:link:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs
- [ ] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request
- [ ] [:link:][step_embargo_end] **(IM)** Inform original reporter (if external) that the security disclosure process is complete
- [ ] [:link:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted
- [ ] [:link:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist)
- [ ] [:grey_question:][step_clearance] **(SwEng)** Grant QA & Marketing clearance to proceed with public release
- [ ] [:grey_question:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
- [ ] [:grey_question:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press
- [ ] [:grey_question:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base
- [ ] [:grey_question:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
- [ ] [:grey_question:][step_notifications] **(First IM)** Send notification emails to third parties
- [ ] [:grey_question:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs
- [ ] [:grey_question:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request
- [ ] [:grey_question:][step_embargo_end] **(SwEng)** Inform original reporter (if external) that the security disclosure process is complete
- [ ] [:grey_question:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted
- [ ] [:grey_question:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist)
[step_deputy]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
[step_incident_manager]: https://gitlab.isc.org/isc-private/bind9/-/wikis/Initial-Handling-of-(Potential)-Security-Issues
[step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter
[step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue
[step_coordinate_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#check-if-we-need-to-coordinate-with-other-vendors-an-industry-wide-cve-identifier-might-be-necessary