330 lines
10 KiB
DTD
330 lines
10 KiB
DTD
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/dtd/glsa.dtd,v 1.17 2008/04/04 17:04:39 neysx Exp $ -->
|
|
<!ELEMENT glsa (title,synopsis,product,announced,revised,bug*,access?,affected,background?,description,impact,workaround,resolution,references,license?,metadata*)>
|
|
<!ATTLIST glsa id CDATA #REQUIRED>
|
|
|
|
<!--
|
|
Element: title
|
|
Description: Provides a 4-5 word description about the advisory
|
|
Example: <title>Buffer overflow vulnerability found in openssl-0.9.5</title>
|
|
-->
|
|
<!ELEMENT title (#PCDATA)>
|
|
|
|
<!--
|
|
Element: synopsis
|
|
Description: Small, to-the-point description about the GLSA
|
|
|
|
Example: <synopsis>
|
|
rsync has an exploitable buffer overflow that can lead to
|
|
remote compromise
|
|
</synopsis>
|
|
-->
|
|
<!ELEMENT synopsis (#PCDATA)>
|
|
|
|
<!--
|
|
Element: product
|
|
Description: Defines what type of security announcement this is.
|
|
|
|
Valid types are:
|
|
- ebuild A Portage-provided ebuild has a security
|
|
issue
|
|
- informational This GLSA is purely informational, no Gentoo
|
|
system is affected
|
|
- infrastructure The security issue involves the Gentoo
|
|
infrastructure
|
|
|
|
The text contains one keyword that defines the issue.
|
|
Note: All type values but 'ebuild' are considered deprecated.
|
|
|
|
Example: <product type="ebuild">openssl</product>
|
|
Example: <product type="infrastructure">rsync mirror</product>
|
|
-->
|
|
<!ELEMENT product (#PCDATA)>
|
|
<!ATTLIST product type (ebuild|infrastructure|informational) #REQUIRED>
|
|
|
|
<!--
|
|
Element: announced
|
|
Description: Date when the advisory is publicised
|
|
The format must be "YYYY-mm-dd"
|
|
|
|
Example: <announced>2003-11-20</announced>
|
|
-->
|
|
<!ELEMENT announced (#PCDATA)>
|
|
|
|
<!--
|
|
Element: revised
|
|
Description: Last revision date of the GLSA
|
|
Attribute: @count: number of revisions
|
|
|
|
Example: <revised count="02">2003-11-20</revised>
|
|
-->
|
|
<!ELEMENT revised (#PCDATA)>
|
|
<!ATTLIST revised count CDATA "01">
|
|
|
|
<!--
|
|
Element: bug
|
|
Description: Number of the bug on bugs.gentoo.org, if any
|
|
Occurrence: The bug element can occur 0, 1 or more times
|
|
|
|
Example: <bug>34200</bug>
|
|
-->
|
|
<!ELEMENT bug (#PCDATA)>
|
|
|
|
<!--
|
|
Element: access
|
|
Description: Type of access necessary to exploit the security issue
|
|
This element should only be used when product@type = 'ebuild'
|
|
Occurrence: The access element can occur 0 or 1 time
|
|
|
|
Example: <access>Remote</access>
|
|
-->
|
|
<!ELEMENT access (#PCDATA)>
|
|
|
|
<!--
|
|
Element: affected
|
|
Description: Describe what the affected subjects are.
|
|
|
|
If product@type = 'ebuild', the child elements are 'package'
|
|
If product@type = 'portage', the child elements are 'package'
|
|
If product@type = 'infrastructure', the child elements are
|
|
'service'
|
|
|
|
-->
|
|
<!ELEMENT affected (package*|service*)>
|
|
|
|
<!--
|
|
Element: package
|
|
Description: Provide all necessary information regarded the affected
|
|
packages. It also contains information about the affected
|
|
architectures, if automatic updates can be done and the update
|
|
|
|
The "update" attribute contains the path to the non-vulnerable
|
|
version of the package
|
|
|
|
The "auto" attribute contains either "yes" or "no" and tells
|
|
Portage that the package can be updated automatically (to be
|
|
implemented) without further user interaction
|
|
|
|
The "arch" attribute contains either the architecture (as used
|
|
by ACCEPT_KEYWORDS) or the "*" value (in case all
|
|
architectures are affected)
|
|
|
|
Occurrence: The package element can occur 0, 1 or more times
|
|
Example: <package name="dev-libs/openssl" auto="yes" arch="*">
|
|
<vulnerable range="lt">0.9.6k</vulnerable>
|
|
<unaffected range="gt">0.9.6k</unaffected>
|
|
</package>
|
|
-->
|
|
<!ELEMENT package (vulnerable|unaffected)*>
|
|
<!ATTLIST package name CDATA #REQUIRED
|
|
auto (yes|no) #REQUIRED
|
|
arch CDATA #REQUIRED>
|
|
|
|
<!--
|
|
Element: vulnerable
|
|
Description: Version of the vulnerable package. Can be a range too
|
|
-->
|
|
<!ELEMENT vulnerable (#PCDATA)>
|
|
<!ATTLIST vulnerable range (le|lt|eq|gt|ge|rlt|rle|rgt|rge) #REQUIRED
|
|
slot CDATA "*">
|
|
|
|
<!--
|
|
Element: unaffected
|
|
Description: Version of the fixed (or unaffected) package. In case the
|
|
package is superseded by another package, you need to
|
|
define that package using the "name" attribute.
|
|
|
|
The r* range information is revision-specific. For instance,
|
|
rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && <foo-1.2.4
|
|
|
|
Example:
|
|
<unaffected range="gt" name="foobar">2.0.0</unaffected>
|
|
-->
|
|
<!ELEMENT unaffected (#PCDATA)>
|
|
<!ATTLIST unaffected range (le|lt|eq|gt|ge|rlt|rle|rgt|rge) #REQUIRED
|
|
slot CDATA "*"
|
|
name CDATA #IMPLIED>
|
|
|
|
<!--
|
|
Element: service
|
|
Description: Provide information about the Gentoo services that are
|
|
affected by the security advisory. Portage must be able
|
|
to parse this information to make decisions (for instance,
|
|
ignore an rsync server or a certain distfiles mirror).
|
|
|
|
The type attribute can be one of "rsync", "web", "mirror".
|
|
|
|
The fixed attribute (denoting if the problem has been solved)
|
|
can be one of "yes" or "no". If not used, the default value is
|
|
"no".
|
|
|
|
Occurrence: The service element can occur 0, 1 or more times
|
|
Example: <service type="rsync">rsync://rsync.someserver.tld/gentoo-portage</service>
|
|
-->
|
|
<!ELEMENT service (#PCDATA)>
|
|
<!ATTLIST service type (rsync|web|mirror) #REQUIRED
|
|
fixed (yes|no) #IMPLIED>
|
|
|
|
<!--
|
|
Element: uri
|
|
Description: Link to the organisation involved in releasing the advisory
|
|
Occurrence: The uri element can occur 0, 1 or more times
|
|
|
|
Example: <uri link="http://www.cert.org">CERT</uri>
|
|
-->
|
|
<!ELEMENT uri (#PCDATA)>
|
|
<!ATTLIST uri link CDATA #IMPLIED>
|
|
|
|
<!--
|
|
Element: mail
|
|
Description: Mail address of the people involved in releasing the advisory
|
|
Occurrence: The mail element can occur 0, 1 or more times
|
|
|
|
Example: <mail link="some@person.com">Some Person</mail>
|
|
-->
|
|
<!ELEMENT mail (#PCDATA)>
|
|
<!ATTLIST mail link CDATA #REQUIRED>
|
|
|
|
<!--
|
|
Element: p
|
|
Description: Plain text
|
|
Occurrence: The "p" element can occur 0, 1 or more times and can contain
|
|
links or addresses
|
|
|
|
Example: <p>Please update your system</p>
|
|
-->
|
|
<!ELEMENT p (#PCDATA|mail|uri|b|i|br)*>
|
|
|
|
<!--
|
|
Element: code
|
|
Description: The code element contains text that should preserve whitespace
|
|
and is therefore useful for code listings or commands
|
|
|
|
Example: <code>emerge sync</code>
|
|
-->
|
|
<!ELEMENT code (#PCDATA)>
|
|
|
|
<!--
|
|
Element: background
|
|
Description: Provides a background of the affected package(s)/service(s)
|
|
The background element contains only "<p>"s in which the text
|
|
is placed
|
|
|
|
-->
|
|
<!ELEMENT background (p|ul|ol)*>
|
|
|
|
<!--
|
|
Element: description
|
|
Description: Provides a description about the security issue
|
|
The description element contains only "<p>"s.
|
|
-->
|
|
<!ELEMENT description (p|ul|ol|code)*>
|
|
|
|
<!--
|
|
Element: impact
|
|
Description: Provides information about the impact that the security issue
|
|
can have
|
|
|
|
The "impact" element contains only "<p>"s.
|
|
|
|
The type element gives a short term, such as
|
|
"Denial of Service", "Buffer Overflow", ...
|
|
|
|
-->
|
|
<!ELEMENT impact (p|ul|ol)*>
|
|
<!ATTLIST impact type CDATA #REQUIRED>
|
|
|
|
<!--
|
|
Element: workaround
|
|
Description: Provides information about how the security issue can be
|
|
(temporarily) resolved through a work-around
|
|
|
|
The "workaround" element contains only "<p>"s and "<code>"s.
|
|
-->
|
|
<!ELEMENT workaround (p|code|ul|ol)*>
|
|
|
|
<!--
|
|
Element: resolution
|
|
Description: Provides information about how the security issue can be
|
|
resolved.
|
|
|
|
The "resolution" element contains only "<p>"s and "<code>"s.
|
|
-->
|
|
<!ELEMENT resolution (p|code|ul|ol)*>
|
|
|
|
<!--
|
|
Element: references
|
|
Description: Provides links to resources / references available online.
|
|
|
|
The "reference" element contains only "<uri>"s.
|
|
-->
|
|
<!ELEMENT references (uri*)>
|
|
|
|
<!--
|
|
Element: ul
|
|
Description: Add an unnumbered listing; can only contain <li>'s
|
|
-->
|
|
<!ELEMENT ul (li*)>
|
|
|
|
<!--
|
|
Element: ol
|
|
Description: Add a numbered listing; can only contain <li>'s
|
|
-->
|
|
<!ELEMENT ol (li*)>
|
|
|
|
<!--
|
|
Element: li
|
|
Description: Element of a listing
|
|
|
|
Example: <ul>
|
|
<li>This is element one</li>
|
|
<li>This is a second element</li>
|
|
</ul>
|
|
-->
|
|
<!ELEMENT li (#PCDATA)>
|
|
|
|
<!--
|
|
Element: b
|
|
Description: Bold text
|
|
|
|
Example: <b>this is bold</b>
|
|
-->
|
|
<!ELEMENT b (#PCDATA)>
|
|
|
|
<!--
|
|
Element: i
|
|
Description: Input text (blue)
|
|
|
|
Example: The user has to type in <i>ls</i> to see.
|
|
-->
|
|
<!ELEMENT i (#PCDATA)>
|
|
|
|
<!--
|
|
Element: br
|
|
Description: hard line break
|
|
|
|
Example: And then: <br/>
|
|
KABLAM!
|
|
-->
|
|
<!ELEMENT br (#PCDATA)>
|
|
|
|
<!--
|
|
Element: license
|
|
Description: Add license information
|
|
|
|
Example: <license/>
|
|
-->
|
|
<!ELEMENT license (EMPTY)>
|
|
|
|
<!--
|
|
Element: metadata
|
|
Description: Metadata information for GLSAMaker
|
|
|
|
Example: <metadata tag="approved">Level 1</metadata>
|
|
|
|
On request of plasmaroo, metadata can contain all elements again.
|
|
-->
|
|
<!ELEMENT metadata (#PCDATA|metadata)*>
|
|
<!ATTLIST metadata tag CDATA #REQUIRED
|
|
revision CDATA #IMPLIED
|
|
author CDATA #IMPLIED
|
|
timestamp CDATA #IMPLIED>
|