236c842934
* fix(DB/SmartAI): improve Harry surrendering during quest 'Gambling Debt' (#23598) * fix(DB/Quest): The Kalu'ak dailies reward 500 rep (#23600) * chore(DB): import pending files Referenced commit(s):fb03f41b2a* fix(DB/GameEvent): Remove midsummer pole in K3 (#23614) * chore(DB): import pending files Referenced commit(s):7b0000d6ee* fix(DB/SmartAI): increase reliability of quest event Foolish Endeavors (#23612) * chore(DB): import pending files Referenced commit(s):86f219abbc* fix(Scripts/AreaTrigger): players become stuck after Last Rites (#23613) * chore(DB): import pending files Referenced commit(s):c1a8047cf1* fix(Core/Vmaps): Fix inconsistency of hitInstance and hitModel to cause wrong area ids (#23233) Co-authored-by: ModoX <moardox@gmail.com> Co-authored-by: Shauren <shauren.trinity@gmail.com> Co-authored-by: Grimdhex <237474256+Grimdhex@users.noreply.github.com> Co-authored-by: sudlud <sudlud@users.noreply.github.com> * fix(DB/Gameobject): Sniffed Values for 'Wild Mustard' spawns (#23608) * fix(DB/SmartAI): remove large combat distance of Frostbrood Sentry (#23607) * chore(DB): import pending files Referenced commit(s):41d40b236f* fix(DB/ReputationRewardRate): Patch 3.0.0 gain for Northrend factions (#23597) * chore(DB): import pending files Referenced commit(s):067a898caa* fix(Core/Map): It should be ensured that the instance is unloaded only after the Creature Respawn. (#23103) * fix(Scripts/Northrend): Sniffing Out The Perpetrator horde (#23620) * fix(Scripts/Northrend): ensure Drakuru stays in place during Betrayal (#23619) * chore(DB): import pending files Referenced commit(s):928e145694* fix(DB/SmartAI): quest 'Reconnaissance Flight' (#23628) Co-authored-by: dr-j <dr-j@users.noreply.github.com> Co-authored-by: Killyana <morphone1@gmail.com> * fix(DB/QuestOfferReward): remove mention of a beta recipe in text (#23629) * fix(DB/Conditions): update quest conditions to drop chokers (#23610) * chore(DB): import pending files Referenced commit(s):bca8f7ce07* refactor(Core/PlayerScript): Delete OnPlayerChat, use OnPlayerCanUseChat (#23617) * fix(Core/SmartAI): startup warnings unused params (#23551) * fix(Core/Unit): Druid Talent Survival of the Fittest lacking immunity to creature daze (#23471) * fix(DB/SAI): Fix Fizzcrank Paradrop teleporters (#23633) * chore(DB): import pending files Referenced commit(s):94ba1c210d* fix(Core): Fix waterwalking after dying in instance (#23593) * fix(DB/SAI): don't remove all auras when mounting flamebringer (#23640) * chore(DB): import pending files Referenced commit(s):22f91f3802* fix(DB/SAI): Emerald Lasher goes out of the terrain when aggroed. (#23642) * chore(DB): import pending files Referenced commit(s):f9d6fe41de* fix(DB/SAI): Burning Depths Necromancer no longer stays in place. (#23641) * chore(DB): import pending files Referenced commit(s):1037471c8d* fix(DB/SAI): Remove SmartAI from Valkyrion Harpoon Gun. (#23646) * chore(DB): import pending files Referenced commit(s):8e3a7e6dcf* fix(DB/Creature): Fix Weakened Reanimated Frost Wyrm inhabit type (#23645) * chore(DB): import pending files Referenced commit(s):3baa18ef5b* fix(DB/Spell): Infectious Bites should stack from different casters (#23647) * chore(DB): import pending files Referenced commit(s):5aede412ab* fix(DB/SAI): Solve various issues with It Goes to 11... quest. (#23651) * fix(DB/Loot): Fireproof Satchel will now always drop the Ritual of Torch (#23585) * chore(DB): import pending files Referenced commit(s):1090c209b3* fix(Scripts/Northrend): Betrayal quest (#23650) * fix(Script/BlackTemple): Reliquary of Souls will use 45 degree in front to set incombat (#22938) * fix(Scripts/Spell): Fix Animal Blood spawning when it shouldn't (#23656) * fix(Scripts/BoreanTundra): Script Bloodspore Haze/Psychosis (#23657) * chore(DB): import pending files Referenced commit(s):baf7957e36* fix(DB/SAI): Sibling Rivalry quest credit if mounted (#23659) * chore(DB): import pending files Referenced commit(s):6919cc679d* fix(docs/license): use GPLv2 as MaNGOS-based project (#23655) * fix(Core/Achievements): a character can only have 1 race realm first (#23626) * chore: fix leftover license header (#23678) * fix(Scripts/HoL): Update Loken script (#23587) * fix(Scripts/DTK): Update King Dred script (#23572) * fix(DB/SAI): Bitter Departure quest credit (#23658) * chore(DB): import pending files Referenced commit(s):e595425578* fix(DB/Conditions): Ice Shard require Icy Imprisonment (#23661) * chore(DB): import pending files Referenced commit(s):8294652e77* fix(DB/Loot): add Scourge Curio drop to Lost Shandaral Spirit (#23686) * chore(DB): import pending files Referenced commit(s):b6ed4347fe* fix(DB/Gameobject): fix spell focus location for 'Will of the Titans' (#23683) * chore(DB): import pending files Referenced commit(s):388f18895d* fix(DB/Creature): update IOC Demolisher spells (#23685) * chore(DB): import pending files Referenced commit(s):cdfa50c990* fix(Scripts/Northrend): IOC boss cast ability Mortal Strike (#23684) * fix(Scripts/BoreanTundra): Fix Beryl Sorcerer engaging mobs (#23690) * fix(Core/Entities): Improve interactions between taxis and players regarding PvP flag. (#23681) * fix(DB/Creature): Peon Gakra should be an innkeeper (#23699) * chore(DB): import pending files Referenced commit(s):6abff4ac2b* fix(Scripts/SholazarBasin): Fix Song of Wind and Water double credit (#23707) * fix(DB/SAI): Reanimated Frost Wyrm engage after being hit by quest spell (#23697) * fix(DB/SAI): Timely respawn Nesingwary Trappers (#23703) * fix(DB/Creature): Fix Fjord Hawk Matriarch unit flags (#23696) * fix(DB/Conditions): Fix Fordragon Resolve target conditions (#23701) * chore(DB): import pending files Referenced commit(s):2942d63125* fix(DB/Script): Move Tailhorn Stag and Amberpine Woodsman behavior into SmartAI. (#23708) * fix(DB/Creature): Set Trigger flag on Steam Vent. (#23710) * chore(DB): import pending files Referenced commit(s):435ca302ef* fix(DB/SAI): To Stars' Rest! taxi flight (#23712) * chore(DB): import pending files Referenced commit(s):ab4d59ac9d* fix (DB/Creature): Set Surveyor Orlond flags. (#23714) * chore(DB): import pending files Referenced commit(s):e8ec77dca7* fix(DB/Loot): Fix Master Summoner Staff drop chance (#23717) * chore(DB): import pending files Referenced commit(s):182c055e6e* fix(Scripts/DTK): Fix Oh Novos! achievement (#23539) (#23718) * fix(Core/Spells): Remove King Mrgl-Mrgl costume on spell casting (#23713) * chore(DB): import pending files Referenced commit(s):8c963a11ce* fix(DB/Reputation): Utigarde Pinnacle normal reputation (#23719) * chore(DB): import pending files Referenced commit(s):88ed7d66d5* fix(Scripts/HoS): Clean up faction update hacks (#23720) * fix(DB/Reputation): Lower reputation according to rates handling (#23722) * fix(DB/Reputation): Oculus normal & UP correction (#23723) * chore(DB): import pending files Referenced commit(s):abc2cf3028* fix(Scripts/Oculus): Implement crossfaction support for drakes (#23704) * fix(DB/Quest): Correct prerequisite for Reclaimed Ration (#23736) Co-authored-by: blinkysc <blinkysc@users.noreply.github.com> * fix(DB/Quest): Correct prerequisite for Salvaging Life's Strength (#23734) Co-authored-by: blinkysc <blinkysc@users.noreply.github.com> * chore(DB): import pending files Referenced commit(s):afd8197588* fix(Core/Movement): Fix SummonMovementInform for summons (#23725) * refactor(Core/Movement): Fix Build (#23739) * fix(DB/SAI): Update Iron Rune Construct SAI to use DO_ACTION instead … (#23716) * chore(DB): import pending files Referenced commit(s):7cc39f78e2* fix(DB/SAI): Fix Flamebringer gossip interaction (#23740) * chore(DB): import pending files Referenced commit(s):9cb683cfcd* fix(DB/SAI): Nerub'ar member packs now attack together. (#23727) * chore(DB): import pending files Referenced commit(s):6f5a1b7ccc* fix(DB/SAI): Remove Harrison Johnes quest flag on escort accept (#23700) * chore(DB): import pending files Referenced commit(s):bacf15d356* Update crash issue template with log submission guidelines (#23754) * Merge * Updated OnPlayerChat method name to OnPlayerCanUseChat --------- Co-authored-by: sogladev <sogladev@gmail.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: 天鹭 <18535853+PkllonG@users.noreply.github.com> Co-authored-by: ModoX <moardox@gmail.com> Co-authored-by: Shauren <shauren.trinity@gmail.com> Co-authored-by: Grimdhex <237474256+Grimdhex@users.noreply.github.com> Co-authored-by: sudlud <sudlud@users.noreply.github.com> Co-authored-by: dr-j <dr-j@users.noreply.github.com> Co-authored-by: Killyana <morphone1@gmail.com> Co-authored-by: Undo <50205200+UndoUreche@users.noreply.github.com> Co-authored-by: Andrew <47818697+Nyeriah@users.noreply.github.com> Co-authored-by: killerwife <killerwife@gmail.com> Co-authored-by: Tereneckla <Tereneckla@pm.me> Co-authored-by: Rocco Silipo <108557877+Rorschach91@users.noreply.github.com> Co-authored-by: Ryan Turner <16946913+TheSCREWEDSoftware@users.noreply.github.com> Co-authored-by: blinkysc <37940565+blinkysc@users.noreply.github.com> Co-authored-by: Francesco Borzì <borzifrancesco@gmail.com> Co-authored-by: Benjamin Jackson <38561765+heyitsbench@users.noreply.github.com> Co-authored-by: Traesh <Traesh@users.noreply.github.com> Co-authored-by: blinkysc <blinkysc@users.noreply.github.com>
4.7 KiB
Anatomy of a curl security advisory
As described in the Security Process document, when a security vulnerability has been reported to the project and confirmed, we author an advisory document for the issue. It should ideally be written in cooperation with the reporter to make sure all the angles and details of the problem are gathered and described correctly and succinctly.
New document
A security advisory for curl is created in the docs/ folder in the
curl-www repository. It should be named
$CVEID.md where $CVEID is the full CVE Id that has been registered for the
flaw. Like CVE-2016-0755. The .md extension of course means that the
document is written using markdown.
The standard way to go about this is to first write the VULNERABILITY
section for the document, so that there is description of the flaw available,
then paste this description into the CVE Id request.
vuln.pm
The new issue should be entered at the top of the list in the file vuln.pm
in the same directory. It holds a large array with all published curl
vulnerabilities. All fields should be filled in accordingly, separated by a
pipe character (|).
The eleven fields for each CVE in vuln.pm are, in order:
HTML page name, first vulnerable version, last vulnerable version, name of
the issue, CVE Id, announce date (YYYYMMDD), report to the project date
(YYYYMMDD), CWE, awarded reward amount (USD), area (single word), C-issue
(- if not a C issue at all, OVERFLOW , OVERREAD, DOUBLE_FREE,
USE_AFTER_FREE, NULL_MISTAKE, UNINIT)
Makefile
The new CVE webpage filename needs to be added in the Makefile's CVELIST
macro.
When the markdown is in place and the Makefile and vuln.pm are updated,
all other files and metadata for all curl advisories and versions get
generated automatically using those files.
Document format
The easy way is to start with a recent previously published advisory and just blank out old texts and save it using a new name. Save the subtitles and general layout.
Some details and metadata are extracted from this document so it is important to stick to the existing format.
The first list must be the title of the issue.
VULNERABILITY
The first subtitle should be VULNERABILITY. That should then include a
through and detailed description of the flaw. Including how it can be
triggered and maybe something about what might happen if triggered or
exploited.
INFO
The next section is INFO which adds meta data information about the flaw. It
specifically mentions the official CVE Id for the issue and it must list the
CWE Id, starting on its own line. We write CWE identifiers in advisories with
the full (official) explanation on the right side of a colon. Like this:
CWE-305: Authentication Bypass by Primary Weakness
AFFECTED VERSIONS
The third section first lists what versions that are affected, then adds clarity by stressing what versions that are not affected. A third line adds information about which specific git commit that introduced the vulnerability.
The Introduced-in commit should be a full URL that displays the commit, but
should work as a stand-alone commit hash if everything up to the last slash is
cut out.
An example using the correct syntax:
- Affected versions: curl 7.16.1 to and including 7.88.1
- Not affected versions: curl < 7.16.1 and curl >= 8.0.0
- Introduced-in: https://github.com/curl/curl/commit/2147284cad
THE SOLUTION
This section describes and discusses the fix. The only mandatory information here is the link to the git commit that fixes the problem.
The Fixed-in value should be a full URL that displays the commit, but should
work as a stand-alone commit hash if everything up to the last slash is cut
out.
Example:
- Fixed-in: https://github.com/curl/curl/commit/af369db4d3833272b8ed
RECOMMENDATIONS
This section lists the recommended actions for the users in a top to bottom priority order and should ideally contain three items but no less than two.
The top two are almost always upgrade curl to version XXX and apply the patch to your local version.
TIMELINE
Detail when this report was received in the project. When package distributors were notified (via the distros mailing list or similar)
When the advisory and fixed version are released.
CREDITS
Mention the reporter and patch author at least, then everyone else involved you think deserves a mention.
If you want to mention more than one name, separate the names with comma
(,).
- Reported-by: Full Name
- Patched-by: Full Name