Mostly this is a note for any future release managers but also a FYI
to anyone interested.
We're participating in the CVE Automation Working Group pilot to
provide CVE information via git. This means when we do any future
security release of OpenSSL we can send information about each CVE
directly to Mitre (via a forked github repo and pull request) rather
than filling out their web based form.
In order to prepare for the pilot we've also switched from providing
CVE information from the Mitre plain text format to JSON. The
JSON files do not have to be written by hand, unlike the text versions
we had to create, and are instead created using a script from the
XML format we use to populate the OpenSSL site.
Step by step Instructions for release managers are (temporarily)
included in cvepool.txt file in the private repo.
Mark J Cox
openssl-project mailing list