Mostly this is a note for any future release managers but also a FYI to anyone interested.
We're participating in the CVE Automation Working Group pilot to provide CVE information via git[1]. This means when we do any future security release of OpenSSL we can send information about each CVE directly to Mitre (via a forked github repo and pull request) rather than filling out their web based form. In order to prepare for the pilot we've also switched from providing CVE information from the Mitre plain text format to JSON[2]. The JSON files do not have to be written by hand, unlike the text versions we had to create, and are instead created using a script[4] from the XML format[3] we use to populate the OpenSSL site. Step by step Instructions for release managers are (temporarily) included in cvepool.txt file in the private repo. Mark J Cox [1] https://github.com/CVEProject/cvelist/ [2] https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema [3] https://www.openssl.org/news/vulnerabilities.xml [4] https://github.com/openssl/web/blob/master/bin/vulnxml2json.py _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project