Author: fw
Date: 2009-02-27 19:17:20 +0000 (Fri, 27 Feb 2009)
New Revision: 11279
Modified:
doc/narrative_introduction
Log:
CVE-20yy-XXXX documentation
Feel free to edit if necessary.
Modified: doc/narrative_introduction
==================================================================---
doc/narrative_introduction 2009-02-27 19:08:32 UTC (rev 11278)
+++ doc/narrative_introduction 2009-02-27 19:17:20 UTC (rev 11279)
@@ -297,6 +297,30 @@
NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
NOTE: this patch was never applied to the Debian package.
+CVE assignments
+---------------
+
+Debian can only assign CVE names from its own pool for issues which
+are not public. To request a CVE from the Debian pool, write to
+<security at debian.org> and include a description which follows CVE
+conventions. To request a CVE for public issues, write to MITRE and
+possibly to the moderated oss-security list. In the meantime, you can
+add an entry of the form
+
+CVE-2009-XXXX [optipng array overflow]
+ - optipng 0.6.2.1-1 (low)
+ NOTE: http://secunia.com/advisories/34035/
+
+in the data/CVE/list file. It is desirable to include references
+which uniquely identify the issue, such as a permanent link to an
+entry in the upstream bug tracker, or a bug in the Debian BTS. If the
+issue is likely present in unstable, a bug should be filed to help the
+maintainer to track it.
+
+Lack of CVE entries should not block advisory publication which are
+otherwise ready, but we should strieve to release fully
+cross-referenced advisories nevertheless.
+
Distribution tags
-----------------
Our data is primarily targeted at sid, as we track the version that
@@ -412,5 +436,4 @@
TODO:
document DTSAs
document tsck
-document CVE-XXXX
document tracked tag