From 4ee3739e9446d67882174608bc0f7103e8f423ef Mon Sep 17 00:00:00 2001 From: Raphael Geissert Date: Mon, 16 Oct 2017 10:23:49 +0000 Subject: corrections related to CVE id requests and an obsolete note git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@56743 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- doc/security-team.d.o/security_tracker | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/security-team.d.o/security_tracker b/doc/security-team.d.o/security_tracker index 8fe33970ae..4911eef0b9 100644 --- a/doc/security-team.d.o/security_tracker +++ b/doc/security-team.d.o/security_tracker @@ -441,9 +441,8 @@ their importance. ### Vulnerabilities without an assigned CVE id -If you learn of a vulnerability to which no CVE id has been assigned yet, you can request one. -To request a CVE for public issues, you can -[write to the moderated oss-security list](https://github.com/RedHatProductSecurity/CVE-HOWTO). +If you learn of a vulnerability to which no CVE id has been assigned yet, you can +[request one](https://github.com/RedHatProductSecurity/CVE-HOWTO). In the meantime, you can add an entry of the form CVE-2009-XXXX [optipng array overflow] @@ -468,6 +467,10 @@ are not public. To request a CVE from the Debian pool, write to and include a description which follows CVE conventions. +The vulnerabilities must be announced at a later point. This is a +requirement by MITRE and can be fulfilled by, for instance, sending an +announcement to the [oss-security mailing list](glossary.html#oss-sec). + Distribution tags ----------------- @@ -549,9 +552,7 @@ that maintains the state of the vulnerability in sid. Every entry that is added like this to `DSA/list` is parsed by a script and automatically added to `CVE/list`. The next lines contain the fixes for stable and optionally oldstable, addressed with distribution tags. You may add -`NOTE:` entries freely, we use a `NOTE` entry for statistical purposes -that tracks when a fix has reached testing relative to the time when -it hit stable. +`NOTE:` entries freely. There is no need to add anything to `CVE/list` for a DSA, the DSA cross-reference will be added automatically by the cron job. However, -- cgit v1.2.3