From e1513381fc57ef34df8600989257322cfed0b167 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 27 Feb 2009 19:17:20 +0000 Subject: CVE-20yy-XXXX documentation Feel free to edit if necessary. git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@11279 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- doc/narrative_introduction | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'doc/narrative_introduction') diff --git a/doc/narrative_introduction b/doc/narrative_introduction index aa06eb4ef0..3d154265c4 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -297,6 +297,30 @@ STABLE11 and ...) NOTE: Bug was introduced in a patch to squid-2.5.STABLE10, NOTE: this patch was never applied to the Debian package. +CVE assignments +--------------- + +Debian can only assign CVE names from its own pool for issues which +are not public. To request a CVE from the Debian pool, write to + and include a description which follows CVE +conventions. To request a CVE for public issues, write to MITRE and +possibly to the moderated oss-security list. In the meantime, you can +add an entry of the form + +CVE-2009-XXXX [optipng array overflow] + - optipng 0.6.2.1-1 (low) + NOTE: http://secunia.com/advisories/34035/ + +in the data/CVE/list file. It is desirable to include references +which uniquely identify the issue, such as a permanent link to an +entry in the upstream bug tracker, or a bug in the Debian BTS. If the +issue is likely present in unstable, a bug should be filed to help the +maintainer to track it. + +Lack of CVE entries should not block advisory publication which are +otherwise ready, but we should strieve to release fully +cross-referenced advisories nevertheless. + Distribution tags ----------------- Our data is primarily targeted at sid, as we track the version that @@ -412,5 +436,4 @@ helps!) TODO: document DTSAs document tsck -document CVE-XXXX document tracked tag -- cgit v1.2.3