diff options
author | Micah Anderson <micah@debian.org> | 2006-03-14 16:46:53 +0000 |
---|---|---|
committer | Micah Anderson <micah@debian.org> | 2006-03-14 16:46:53 +0000 |
commit | f284ed6f136a5af8d37fd3d8275a34a1c130b947 (patch) | |
tree | a403bcf962815805541d5b6e8205ce0f7f3ea2d5 /doc | |
parent | 9672786b5c7d7b397f3924a0cdc4015aa46a27e1 (diff) |
Made more clear DSA cross-reference info
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@3614 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'doc')
-rw-r--r-- | doc/narrative_introduction | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/doc/narrative_introduction b/doc/narrative_introduction index b517af82c8..55178605af 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -297,18 +297,27 @@ entry for a DSA looks like this: [sarge] - unzip 5.52-1sarge2 NOTE: fixed in testing at time of DSA -The first line tracks the date, when a DSA was issued, the DSA identifier, -the affected source package and the type of vulnerability. -The second line performs a cross-reference to the entry in CVE/list that -maintains the state of the vulnerability in sid. Every entry that is -added like this to DSA/list is parsed by a script and automatically added -to CVE/list, so there's no need to add references to the CVE list manually -(although you could). -The next lines contain the fixes for stable and optionally oldstable, addressed -with distribution tags. -You may add NOTE: entries freely, we use a NOTE entry for statistical purposes -that tracks, when a fix has reached testing relative to the time when it hit -stable. +The first line tracks the date, when a DSA was issued, the DSA +identifier, the affected source package and the type of vulnerability. +The second line performs a cross-reference to the entry in CVE/list +that maintains the state of the vulnerability in sid. Every entry that +is added like this to DSA/list is parsed by a script and automatically +added to CVE/list. The next lines contain the fixes for stable and +optionally oldstable, addressed with distribution tags. You may add +NOTE: entries freely, we use a NOTE entry for statistical purposes +that tracks, when a fix has reached testing relative to the time when +it hit stable. + +Once an entry has been added to DSA/list, a cross-reference should be +added to CVE/list, an example based on the above DSA follows: + +CVE-2005-2475 (Race condition in Unzip 5.52 allows local users to modify permissions ...) + {DSA-903-1} + - unzip 5.52-4 (bug #321927; low) + +It is unnecessary to add [sarge] or [woody] entries to CVE/list when +there is a DSA cross-reference. However, they should be added if there +is a 'no-dsa' or 'not-affected' condition. The bin/dsa2list script can be used to generate a template for a new DSA entry once the official DSA is published on the web. You should |