Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add advisory for biscuit-haskell 0.3.x #230

Merged
merged 1 commit into from
Aug 1, 2024
Merged

add advisory for biscuit-haskell 0.3.x #230

merged 1 commit into from
Aug 1, 2024

Conversation

divarvel
Copy link
Contributor

Advisory

  • It's not duplicated
  • All fields are filled
  • It is validated by hsec-tools

hsec-tools

  • Previous advisories are still valid

Following the publication of GHSA-47cq-pc2v-3rmp

It's my first time, let me know if I did it correctly :-)

For hsec-tools, i'm not sure how to do it (or if i should do it myself, vs having it done by CI).

@TristanCacqueray
Copy link
Collaborator

Yes, CI validates it. I don't remember, what's the process to pick the HSEC id again?

@blackheaven
Copy link
Collaborator

IIRC the merger amend the commit.

Anyway, we should document it.

/cc @frasertweedale

@divarvel divarvel marked this pull request as draft August 1, 2024 07:53
@divarvel
Copy link
Contributor Author

divarvel commented Aug 1, 2024

I have moved the PR back to draft because the CVE ID might change (we filed several CVEs but we might have to only keep a single CVE that covers spec and implementations). Is this something that can be amended later or does it need to be right before merging?

@frasertweedale
Copy link
Collaborator

I have moved the PR back to draft because the CVE ID might change (we filed several CVEs but we might have to only keep a single CVE that covers spec and implementations). Is this something that can be amended later or does it need to be right before merging?

We can merge without the CVE alias (or with the current CVE(s)), and update it later if needed.

@frasertweedale
Copy link
Collaborator

Yes, CI validates it. I don't remember, what's the process to pick the HSEC id again?

We have some code for working out the next unassigned/unreserved HSEC ID, but it is only used in the reserve command. Still, even something like hsec-tools next that simply prints out the next value could be useful. I could code that up over the weekend.

For this advisory, I proposed HSEC-2024-0009 - after 0006..0008 which are awaiting merge in PR #214 (avoid conflicts).

@divarvel divarvel marked this pull request as ready for review August 1, 2024 12:23
@frasertweedale frasertweedale merged commit 59bea00 into haskell:main Aug 1, 2024
3 checks passed
@frasertweedale
Copy link
Collaborator

Thank you for your contribution, @divarvel.

@divarvel divarvel deleted the biscuit-haskell-0.3.x branch August 2, 2024 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frasertweedale frasertweedale frasertweedale approved these changes

@blackheaven blackheaven blackheaven approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@divarvel @TristanCacqueray @blackheaven @frasertweedale