2.1 KiB
2.1 KiB
CVE-specific actions
- Assign a CVE identifier
- Determine CVSS score
- Determine the range of BIND versions affected (including the Subscription Edition)
- Determine whether workarounds for the problem exists
- Prepare a detailed description of the problem which should include the following by default:
- instructions for reproducing the problem (a system test is good enough)
- explanation of code flow which triggers the problem (a system test is not good enough)
- Prepare a private merge request containing the following items in separate commits:
- a test for the issue (may be moved to a separate merge request for deferred merging)
- a fix for the issue
- documentation updates (
CHANGES, release notes, anything else applicable)
- Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
- Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
- Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
- Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch
Release-specific actions
- Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- Reserve a block of
CHANGESplaceholders once the complete set of vulnerabilities fixed in a given release cycle is determined - Ensure the merge requests containing CVE fixes are merged into
security-*branches in CVE identifier order