TristanCacqueray
commented
3 months ago Yes, CI validates it. I don't remember, what's the process to pick the HSEC id again?
Closed divarvel closed 3 months ago
TristanCacqueray
commented
3 months ago Yes, CI validates it. I don't remember, what's the process to pick the HSEC id again?
blackheaven
commented
3 months ago IIRC the merger amend the commit.
Anyway, we should document it.
/cc @frasertweedale
divarvel
commented
3 months ago I have moved the PR back to draft because the CVE ID might change (we filed several CVEs but we might have to only keep a single CVE that covers spec and implementations). Is this something that can be amended later or does it need to be right before merging?
frasertweedale
commented
3 months ago I have moved the PR back to draft because the CVE ID might change (we filed several CVEs but we might have to only keep a single CVE that covers spec and implementations). Is this something that can be amended later or does it need to be right before merging?
We can merge without the CVE alias (or with the current CVE(s)), and update it later if needed.
frasertweedale
commented
3 months ago Yes, CI validates it. I don't remember, what's the process to pick the HSEC id again?
We have some code for working out the next unassigned/unreserved HSEC ID, but it is only used in the reserve command. Still, even something like hsec-tools next that simply prints out the next value could be useful. I could code that up over the weekend.
For this advisory, I proposed HSEC-2024-0009 - after 0006..0008 which are awaiting merge in PR https://github.com/haskell/security-advisories/pull/214 (avoid conflicts).
frasertweedale
commented
3 months ago Thank you for your contribution, @divarvel.
Advisory
hsec-toolshsec-tools
Following the publication of https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp
It's my first time, let me know if I did it correctly :-)
For hsec-tools, i'm not sure how to do it (or if i should do it myself, vs having it done by CI).