Hi,
When we have a release that contains CVEs, we currently link to a CVE
authority to display the full details about that CVE. This has presented
a few issues:
- The CVE authority does not publish the CVE details when the release is
made; the window for this happening can vary
- As a result, we can't link to that page from the news announcement;
when we have in the past, we'll get reports about the URL 404ing
This patchset aims to remedy this by creating a page that houses the
details about a CVE. It includes the additional description that is
provided to the CVE authority and allows for the details to be published
as soon as the CVE is published. See attached screenshot.
0001 updates the current CVE ID validator to match what MITRE has put
forth on the numbering (7 digits! It does say in places it can be
"arbitrary amounts" but the official examples go up to 7 digits), and
0002 refactors a function we used to generate our internal CVE IDs so it
can be used in multiple places, e.g. its use in 0003.
The security team has reviewed the proposed visual contents and has
given its consent.
Thanks,
Jonathan
