Author: micah
Date: 2006-03-14 16:46:53 +0000 (Tue, 14 Mar 2006)
New Revision: 3614
Modified:
doc/narrative_introduction
Log:
Made more clear DSA cross-reference info
Modified: doc/narrative_introduction
==================================================================---
doc/narrative_introduction 2006-03-14 16:40:44 UTC (rev 3613)
+++ doc/narrative_introduction 2006-03-14 16:46:53 UTC (rev 3614)
@@ -297,19 +297,28 @@
[sarge] - unzip 5.52-1sarge2
NOTE: fixed in testing at time of DSA
-The first line tracks the date, when a DSA was issued, the DSA identifier,
-the affected source package and the type of vulnerability.
-The second line performs a cross-reference to the entry in CVE/list that
-maintains the state of the vulnerability in sid. Every entry that is
-added like this to DSA/list is parsed by a script and automatically added
-to CVE/list, so there''s no need to add references to the CVE list
manually
-(although you could).
-The next lines contain the fixes for stable and optionally oldstable, addressed
-with distribution tags.
-You may add NOTE: entries freely, we use a NOTE entry for statistical purposes
-that tracks, when a fix has reached testing relative to the time when it hit
-stable.
+The first line tracks the date, when a DSA was issued, the DSA
+identifier, the affected source package and the type of vulnerability.
+The second line performs a cross-reference to the entry in CVE/list
+that maintains the state of the vulnerability in sid. Every entry that
+is added like this to DSA/list is parsed by a script and automatically
+added to CVE/list. The next lines contain the fixes for stable and
+optionally oldstable, addressed with distribution tags. You may add
+NOTE: entries freely, we use a NOTE entry for statistical purposes
+that tracks, when a fix has reached testing relative to the time when
+it hit stable.
+Once an entry has been added to DSA/list, a cross-reference should be
+added to CVE/list, an example based on the above DSA follows:
+
+CVE-2005-2475 (Race condition in Unzip 5.52 allows local users to modify
permissions ...)
+ {DSA-903-1}
+ - unzip 5.52-4 (bug #321927; low)
+
+It is unnecessary to add [sarge] or [woody] entries to CVE/list when
+there is a DSA cross-reference. However, they should be added if there
+is a ''no-dsa'' or ''not-affected'' condition.
+
The bin/dsa2list script can be used to generate a template for a new
DSA entry once the official DSA is published on the web. You should
not blindly trust the script output and double-check it, though.