CVE-20yy-XXXX documentation

Feel free to edit if necessary.


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@11279 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 24 insertions, 1 deletions

diff --git a/doc/narrative_introduction b/doc/narrative_introduction
index aa06eb4ef0..3d154265c4 100644
--- a/doc/narrative_introduction
+++ b/doc/narrative_introduction
@@ -297,6 +297,30 @@ STABLE11 and ...)
         NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
         NOTE: this patch was never applied to the Debian package.
 
+CVE assignments
+---------------
+
+Debian can only assign CVE names from its own pool for issues which
+are not public.  To request a CVE from the Debian pool, write to
+<security@debian.org> and include a description which follows CVE
+conventions.  To request a CVE for public issues, write to MITRE and
+possibly to the moderated oss-security list.  In the meantime, you can
+add an entry of the form
+
+CVE-2009-XXXX [optipng array overflow]
+	- optipng 0.6.2.1-1 (low)
+	NOTE: http://secunia.com/advisories/34035/
+
+in the data/CVE/list file.  It is desirable to include references
+which uniquely identify the issue, such as a permanent link to an
+entry in the upstream bug tracker, or a bug in the Debian BTS.  If the
+issue is likely present in unstable, a bug should be filed to help the
+maintainer to track it.
+
+Lack of CVE entries should not block advisory publication which are
+otherwise ready, but we should strieve to release fully
+cross-referenced advisories nevertheless.
+
 Distribution tags
 -----------------
 Our data is primarily targeted at sid, as we track the version that
@@ -412,5 +436,4 @@ helps!)
 TODO:
 document DTSAs
 document tsck
-document CVE-XXXX
 document tracked tag