Indent to the position used in the file

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@27515 e39458fd-73e7-0310-bf30-c45bca0a0e42

1 files changed, 31 insertions, 31 deletions

diff --git a/doc/security-team.d.o/security_tracker b/doc/security-team.d.o/security_tracker
index 1275353307..b2232c450e 100644
--- a/doc/security-team.d.o/security_tracker
+++ b/doc/security-team.d.o/security_tracker
@@ -130,7 +130,7 @@ technically the code is not present in Debian.
 Example:
 
     CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of service ...)
-       NOT-FOR-US: Safari
+            NOT-FOR-US: Safari
 
 Before marking a package NFU, the following should be done:
 
@@ -168,7 +168,7 @@ Debian version that fixes it and assign a severity level to it, for
 example:
 
     CVE-2005-2596 (User.php in Gallery, as used in Postnuke, allows users with any Admin ...)
-       - gallery 1.5-2 (medium)
+            - gallery 1.5-2 (medium)
 
 Even if the CVE description mentions it is fixed as of a particular
 version, double-check the Debian package yourself (because sometimes 
@@ -180,8 +180,8 @@ about the issue, and if not, file one and then note it in the list
 (again with a severity level):
 
     CVE-2005-3054 (fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not ...)
-       - php4 <unfixed> (bug #353585; medium)
-       - php5 <unfixed> (bug #353585; medium)
+            - php4 <unfixed> (bug #353585; medium)
+            - php5 <unfixed> (bug #353585; medium)
 
 Bug numbers can be added as in the example above. To avoid duplicate bugs,
 `bug filed` can be added instead of `bug #123456` when the bug report has
@@ -212,7 +212,7 @@ If a vulnerability does not affect Debian, e.g. because the vulnerable
 code is not contained, it is marked as <not-affected>:
 
     CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...)
-        - thttpd <not-affected> (Windows-specific vulnerabilities)
+            - thttpd <not-affected> (Windows-specific vulnerabilities)
 
 `<not-affected>` is also used if a vulnerability was fixed before a
 package was uploaded into the Debian archive.
@@ -237,9 +237,9 @@ to come back and revisit the issue.  An example undetermined
 entry is:
 
     CVE-2011-2351 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 ...)
-        - chromium-browser 12.0.742.112~r90304-1
-        - webkit <undetermined>
-        NOTE: webkit commit #123456
+            - chromium-browser 12.0.742.112~r90304-1
+            - webkit <undetermined>
+            NOTE: webkit commit #123456
 
 The list of all of currently undetermined issues is aggregated [by the tracker](http://security-tracker.debian.org/tracker/status/undetermined).
 This is a good place for new contributors to get started since these
@@ -260,7 +260,7 @@ tracking standpoint) there is no advantage in tracking them in separate ways.
 An example entry for an ITP/RFP package is:
 
     CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php in Serendipity ...)
-        - serendipity <itp> (bug #312413)
+            - serendipity <itp> (bug #312413)
 
 ### Reserved entries
 
@@ -271,7 +271,7 @@ assign to problems that are detected in their products. Such entries
 are marked as `RESERVED` in the tracker:
 
     CVE-2005-1432
-        RESERVED
+            RESERVED
 
 ### Rejected entries
 
@@ -280,7 +280,7 @@ mistakes or non-issues. These items are reverted and turned into `REJECTED`
 entries:
 
     CVE-2005-4129
-        REJECTED
+            REJECTED
 
 ### <a id="removed">Removed packages</a>
 
@@ -290,7 +290,7 @@ it needs to be removed from the archive entirely. This is tracked with
 the `<removed>` tag:
 
     CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
-        - openwebmail <removed>
+            - openwebmail <removed>
 
 Also note that it is sufficient to mark a package as removed in unstable.
 The tracker is aware of which package is present in which distribution
@@ -319,10 +319,10 @@ Packages which are not anymore supported by the security team in a
 (old-)stable release are marked with the end-of-life tag:
 
     CVE-2011-3973 (cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 ...)
-        {DSA-2336-1}
-        - libav 4:0.7.1-7 (bug #641478)
-        - ffmpeg <removed>
-        - ffmpeg-debian <end-of-life>
+            {DSA-2336-1}
+            - libav 4:0.7.1-7 (bug #641478)
+            - ffmpeg <removed>
+            - ffmpeg-debian <end-of-life>
 
 
 #### <a id="NoteTodo">`NOTE` and `TODO` entries</a>
@@ -333,16 +333,16 @@ time. These entries can have their TODO line changed to something
 descriptive so that it is clear what remains to be done. For example:
 
     CVE-2005-3990 (Directory traversal vulnerability in FastJar 0.93 allows remote ...)
-        TODO: check, whether fastjar from the gcc source packages is affected
+            TODO: check, whether fastjar from the gcc source packages is affected
 
 If you are not sure about some decision (e.g. which package is affected) or
 triaging (e.g. bug severity) you can leave a TODO note for reviewing, 
 explaining which aspect have to be reviewed. For example:
 
     CVE-2013-7295 (Tor before 0.2.4.20, when OpenSSL 1.x is used in ...)
-        - tor 0.2.4.20-1 (low)
-        [wheezy] - tor <no-dsa> (Minor issue)
-        TODO: review, severity. The exploitation scenario is too complicated.
+            - tor 0.2.4.20-1 (low)
+            [wheezy] - tor <no-dsa> (Minor issue)
+            TODO: review, severity. The exploitation scenario is too complicated.
 
 It is also useful to add information to issues as you find it, so that
 when others go to look at an issue and want to know why you marked it
@@ -353,9 +353,9 @@ because the issue was introduced in a patch that was never applied to
 the Debian package:
 
     CVE-2005-3258 (The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and ...)
-        - squid <not-affected> (bug #334882; medium)
-        NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
-        NOTE: this patch was never applied to the Debian package.
+            - squid <not-affected> (bug #334882; medium)
+            NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
+            NOTE: this patch was never applied to the Debian package.
 
 Severity levels
 ---------------
@@ -408,8 +408,8 @@ To request a CVE for public issues, you can
 In the meantime, you can add an entry of the form
 
     CVE-2009-XXXX [optipng array overflow]
-        - optipng 0.6.2.1-1 (low)
-        NOTE: http://secunia.com/advisories/34035/
+            - optipng 0.6.2.1-1 (low)
+            NOTE: http://secunia.com/advisories/34035/
 
 It is desirable to include references
 which uniquely identify the issue, such as a permanent link to an
@@ -441,8 +441,8 @@ Distribution tags can be used to denote information about a vulnerability
 for the version of a package in a specific release. An example:
 
     CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on ...)
-        - drupal 4.5.6-1 (low)
-        [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
+            - drupal 4.5.6-1 (low)
+            [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
 
 Drupal has been fixed since 4.5.6, however Drupal from Sarge still isn't
 vulnerable as the vulnerability is only effective when run under PHP 5,
@@ -497,10 +497,10 @@ of security problems for the stable and oldstable distribution. An
 entry for a DSA looks like this:
 
     [21 Nov 2005] DSA-903-1 unzip - race condition
-        {CVE-2005-2475}
-        [woody] - unzip 5.50-1woody4
-        [sarge] - unzip 5.52-1sarge2
-        NOTE: fixed in testing at time of DSA
+            {CVE-2005-2475}
+            [woody] - unzip 5.50-1woody4
+            [sarge] - unzip 5.52-1sarge2
+            NOTE: fixed in testing at time of DSA
 
 The first line tracks the date, when a DSA was issued, the DSA
 identifier, the affected source package and the type of vulnerability.