diff options
author | Raphael Geissert <geissert@debian.org> | 2017-10-16 10:23:49 +0000 |
---|---|---|
committer | Raphael Geissert <geissert@debian.org> | 2017-10-16 10:23:49 +0000 |
commit | a002133ac7c75490ec0140d5cf8b7f9b23030331 (patch) | |
tree | 36c90f32a0ab2ce6d6a33ab941983cf4e3497edc /doc | |
parent | fd23fded56b32bf4dc2345f7d1302e6c276038fa (diff) |
corrections related to CVE id requests and an obsolete note
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@56743 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'doc')
-rw-r--r-- | doc/security-team.d.o/security_tracker | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/doc/security-team.d.o/security_tracker b/doc/security-team.d.o/security_tracker index 8fe33970ae..4911eef0b9 100644 --- a/doc/security-team.d.o/security_tracker +++ b/doc/security-team.d.o/security_tracker @@ -441,9 +441,8 @@ their importance. ### Vulnerabilities without an assigned CVE id -If you learn of a vulnerability to which no CVE id has been assigned yet, you can request one. -To request a CVE for public issues, you can -[write to the moderated oss-security list](https://github.com/RedHatProductSecurity/CVE-HOWTO). +If you learn of a vulnerability to which no CVE id has been assigned yet, you can +[request one](https://github.com/RedHatProductSecurity/CVE-HOWTO). In the meantime, you can add an entry of the form CVE-2009-XXXX [optipng array overflow] @@ -468,6 +467,10 @@ are not public. To request a CVE from the Debian pool, write to <team@security.debian.org> and include a description which follows CVE conventions. +The vulnerabilities must be announced at a later point. This is a +requirement by MITRE and can be fulfilled by, for instance, sending an +announcement to the [oss-security mailing list](glossary.html#oss-sec). + Distribution tags ----------------- @@ -549,9 +552,7 @@ that maintains the state of the vulnerability in sid. Every entry that is added like this to `DSA/list` is parsed by a script and automatically added to `CVE/list`. The next lines contain the fixes for stable and optionally oldstable, addressed with distribution tags. You may add -`NOTE:` entries freely, we use a `NOTE` entry for statistical purposes -that tracks when a fix has reached testing relative to the time when -it hit stable. +`NOTE:` entries freely. There is no need to add anything to `CVE/list` for a DSA, the DSA cross-reference will be added automatically by the cron job. However, |