DokuWiki Installer

:

This page assists in the first time installation and configuration of Dokuwiki. More info on this installer is available on it's own documentation page.

DokuWiki uses ordinary files for the storage of wiki pages and other information associated with those pages (e.g. images, search indexes, old revisions, etc). In order to operate successfully DokuWiki must have write access to the directories that hold those files. This installer is not capable of setting up directory permissions. That normally needs to be done directly on a command shell or if you are using hosting, through FTP or your hosting control panel (e.g. cPanel).

This installer will setup your DokuWiki configuration for ACL, which in turn allows administrator login and access to DokuWiki's admin menu for installing plugins, managing users, managing access to wiki pages and alteration of configuration settings. It isn't required for DokuWiki to operate, however it will make Dokuwiki easier to administer.

Experienced users or users with special setup requirements should use these links for details concerning installation instructions and configuration settings.

For security reasons this script will only work with a new and unmodified Dokuwiki installation. You should either re-extract the files from the downloaded package or consult the complete Dokuwiki installation instructions

driven by DokuWiki powered by PHP
Handling Security Issues [Mantis Bug Tracker Wiki]

User Tools

Site Tools


mantisbt:handling_security_problems

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
mantisbt:handling_security_problems [2015/02/13 18:08]
dregad Use InterWiki syntax for MantisBT bug links
mantisbt:handling_security_problems [2017/03/10 07:34] (current)
dregad Add "Reference the CVE" section
Line 48: Line 48:
     * Set //Target Version// to the next stable release (e.g. "1.2.x")     * Set //Target Version// to the next stable release (e.g. "1.2.x")
     * Make sure it is indeed **Private**     * Make sure it is indeed **Private**
-  - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer's mailing list to avoid early disclosure.)) (use the //Send Reminder// feature)+  - Notify the rest of the core team about the vulnerability by adding them to the email thread / issue discussion((Do not use the Developer's mailing list to avoid early disclosure.)) (use //@mentions// or the //Send Reminder// feature)
   - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.))   - Propose a fix by **attaching a git patch** to the issue ((It is important not to leak information about the vulnerability by pushing fixes to the public Github repositories before the disclosure.))
-  - The original reporter as well should test the fix to confirm resolution+  - The original reporter should test the fix to confirm resolution
   - If possible, at least one other MantisBT developer should review and test the fix as well   - If possible, at least one other MantisBT developer should review and test the fix as well
  
Line 75: Line 75:
 ==== Obtaining a CVE ID ==== ==== Obtaining a CVE ID ====
  
-Refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for the process to request a CVE ID.+Fill the form at https://cveform.mitre.org/, following indications on the page.
  
-The request must include:+  * //Vendor of the product// and //Product// should be set to **MantisBT** 
 +  * a couple of examples for the //Version// field 
 +    - Single version: 2.1.0 and later; fixed in 2.2.1 
 +    - Multiple versions: 1.3.0-beta.3 through 2.2.0, fixed in 1.3.7, 2.2.1 
 +  * //Affected components//: the MantisBT page(s) where the problem exists 
 +  * //References// should include (if public) links to 
 +    - the MantisBT issue  
 +    - Github commit(s) with patches fixing the issue
  
-  - description of the issue, including but not limited to +Once the form has been submittedthe system will send a confirmation e-mail with a request number; after reviewMITRE'CVE assignment team will send another e-mail with the CVE IDFrom experience, the CVE ID usually gets assigned within one business day.
-     * type, e.g. XSSsql injection... +
-     * which area of Mantis are affected +
-     * potential consequences of exploiting the bug +
-     * indication on severity +
-  - affected MantisBT version(s+
-  link to MantisBT issue +
-  - optionally, information about the reporter (if available and they do not refuse to be quoted) +
-  - information about the patch (i.e. where it can be found, commit SHA) +
-  - optionallyattach the patch itself+
  
-Here are a few **examples** of public CVE requests: +Note that There are alternatives to request CVE IDs; refer to Kurt Seifried's [[https://github.com/RedHatProductSecurity/CVE-HOWTO#how-do-i-request-a-cve|CVE HowTo]] for further information. 
 + 
 +Here are a few **examples** of public CVE requests, requested via the //oss-security Mailing List//
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15434|1]], 
 [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]],  [[http://thread.gmane.org/gmane.comp.security.oss.general/15429|2]], 
Line 96: Line 96:
 [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]].  [[http://thread.gmane.org/gmane.comp.security.oss.general/9876|4]]. 
  
-From experience, the CVE ID usually gets assigned within one business daybut sometimes it takes up to a week.+==== Reference the CVE ID ==== 
 + 
 +Once the CVE ID has been assigned, it must be referenced in MantisBT, and used in every communication related to the security issue
  
 +  * MantisBT's issue tracker (**Mandatory**): prefix the issue's summary with ''CVE-YYYY-XXXX - ''
 +  * in commit messages
 +  * on GitHub pull requests
 +  * in mailing lists discussions
 +  * in announcements (e.g. release notes, blog post, twitter...)
 +  * etc
  
mantisbt/handling_security_problems.1423868905.txt.gz · Last modified: 2015/02/13 18:08 by dregad