1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
<!ELEMENT glsa (title,synopsis,product,announced,revised,bug*,access?,affected,background?,description,impact,workaround,resolution,references,license?,metadata*)>
<!ATTLIST glsa id CDATA #REQUIRED>
<!--
Element: title
Description: Provides a 4-5 word description about the advisory
Example: <title>Buffer overflow vulnerability found in openssl-0.9.5</title>
-->
<!ELEMENT title (#PCDATA)>
<!--
Element: synopsis
Description: Small, to-the-point description about the GLSA
Example: <synopsis>
rsync has an exploitable buffer overflow that can lead to
remote compromise
</synopsis>
-->
<!ELEMENT synopsis (#PCDATA)>
<!--
Element: product
Description: Defines what type of security announcement this is.
Valid types are:
- ebuild A Portage-provided ebuild has a security
issue
- informational This GLSA is purely informational, no Gentoo
system is affected
- infrastructure The security issue involves the Gentoo
infrastructure
The text contains one keyword that defines the issue.
Note: All type values but 'ebuild' are considered deprecated.
Example: <product type="ebuild">openssl</product>
Example: <product type="infrastructure">rsync mirror</product>
-->
<!ELEMENT product (#PCDATA)>
<!ATTLIST product type (ebuild|infrastructure|informational) #REQUIRED>
<!--
Element: announced
Description: Date when the advisory is publicised
The format must be "YYYY-mm-dd"
Example: <announced>2003-11-20</announced>
-->
<!ELEMENT announced (#PCDATA)>
<!--
Element: revised
Description: Last revision date of the GLSA
Attribute: @count: number of revisions
Example: <revised count="02">2003-11-20</revised>
-->
<!ELEMENT revised (#PCDATA)>
<!ATTLIST revised count CDATA "01">
<!--
Element: bug
Description: Number of the bug on bugs.gentoo.org, if any
Occurrence: The bug element can occur 0, 1 or more times
Example: <bug>34200</bug>
-->
<!ELEMENT bug (#PCDATA)>
<!--
Element: access
Description: Type of access necessary to exploit the security issue
This element should only be used when product@type = 'ebuild'
Occurrence: The access element can occur 0 or 1 time
Example: <access>Remote</access>
-->
<!ELEMENT access (#PCDATA)>
<!--
Element: affected
Description: Describe what the affected subjects are.
If product@type = 'ebuild', the child elements are 'package'
If product@type = 'portage', the child elements are 'package'
If product@type = 'infrastructure', the child elements are
'service'
-->
<!ELEMENT affected (package*|service*)>
<!--
Element: package
Description: Provide all necessary information regarded the affected
packages. It also contains information about the affected
architectures, if automatic updates can be done and the update
The "update" attribute contains the path to the non-vulnerable
version of the package
The "auto" attribute contains either "yes" or "no" and tells
Portage that the package can be updated automatically (to be
implemented) without further user interaction
The "arch" attribute contains either the architecture (as used
by ACCEPT_KEYWORDS) or the "*" value (in case all
architectures are affected)
Occurrence: The package element can occur 0, 1 or more times
Example: <package name="dev-libs/openssl" auto="yes" arch="*">
<vulnerable range="lt">0.9.6k</vulnerable>
<unaffected range="gt">0.9.6k</unaffected>
</package>
-->
<!ELEMENT package (vulnerable|unaffected)*>
<!ATTLIST package name CDATA #REQUIRED
auto (yes|no) #REQUIRED
arch CDATA #REQUIRED>
<!--
Element: vulnerable
Description: Version of the vulnerable package. Can be a range too
-->
<!ELEMENT vulnerable (#PCDATA)>
<!ATTLIST vulnerable range (le|lt|eq|gt|ge|rlt|rle|rgt|rge) #REQUIRED
slot CDATA "*">
<!--
Element: unaffected
Description: Version of the fixed (or unaffected) package. In case the
package is superseded by another package, you need to
define that package using the "name" attribute.
The r* range information is revision-specific. For instance,
rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && <foo-1.2.4
Example:
<unaffected range="gt" name="foobar">2.0.0</unaffected>
-->
<!ELEMENT unaffected (#PCDATA)>
<!ATTLIST unaffected range (le|lt|eq|gt|ge|rlt|rle|rgt|rge) #REQUIRED
slot CDATA "*"
name CDATA #IMPLIED>
<!--
Element: service
Description: Provide information about the Gentoo services that are
affected by the security advisory. Portage must be able
to parse this information to make decisions (for instance,
ignore an rsync server or a certain distfiles mirror).
The type attribute can be one of "rsync", "web", "mirror".
The fixed attribute (denoting if the problem has been solved)
can be one of "yes" or "no". If not used, the default value is
"no".
Occurrence: The service element can occur 0, 1 or more times
Example: <service type="rsync">rsync://rsync.someserver.tld/gentoo-portage</service>
-->
<!ELEMENT service (#PCDATA)>
<!ATTLIST service type (rsync|web|mirror) #REQUIRED
fixed (yes|no) #IMPLIED>
<!--
Element: uri
Description: Link to the organisation involved in releasing the advisory
Occurrence: The uri element can occur 0, 1 or more times
Example: <uri link="http://www.cert.org">CERT</uri>
-->
<!ELEMENT uri (#PCDATA)>
<!ATTLIST uri link CDATA #IMPLIED>
<!--
Element: mail
Description: Mail address of the people involved in releasing the advisory
Occurrence: The mail element can occur 0, 1 or more times
Example: <mail link="some@person.com">Some Person</mail>
-->
<!ELEMENT mail (#PCDATA)>
<!ATTLIST mail link CDATA #REQUIRED>
<!--
Element: p
Description: Plain text
Occurrence: The "p" element can occur 0, 1 or more times and can contain
links or addresses
Example: <p>Please update your system</p>
-->
<!ELEMENT p (#PCDATA|mail|uri|b|i|br)*>
<!--
Element: code
Description: The code element contains text that should preserve whitespace
and is therefore useful for code listings or commands
Example: <code>emerge sync</code>
-->
<!ELEMENT code (#PCDATA)>
<!--
Element: background
Description: Provides a background of the affected package(s)/service(s)
The background element contains only "<p>"s in which the text
is placed
-->
<!ELEMENT background (p|ul|ol)*>
<!--
Element: description
Description: Provides a description about the security issue
The description element contains only "<p>"s.
-->
<!ELEMENT description (p|ul|ol|code)*>
<!--
Element: impact
Description: Provides information about the impact that the security issue
can have
The "impact" element contains only "<p>"s.
The type element gives a short term, such as
"Denial of Service", "Buffer Overflow", ...
-->
<!ELEMENT impact (p|ul|ol)*>
<!ATTLIST impact type CDATA #REQUIRED>
<!--
Element: workaround
Description: Provides information about how the security issue can be
(temporarily) resolved through a work-around
The "workaround" element contains only "<p>"s and "<code>"s.
-->
<!ELEMENT workaround (p|code|ul|ol)*>
<!--
Element: resolution
Description: Provides information about how the security issue can be
resolved.
The "resolution" element contains only "<p>"s and "<code>"s.
-->
<!ELEMENT resolution (p|code|ul|ol)*>
<!--
Element: references
Description: Provides links to resources / references available online.
The "reference" element contains only "<uri>"s.
-->
<!ELEMENT references (uri*)>
<!--
Element: ul
Description: Add an unnumbered listing; can only contain <li>'s
-->
<!ELEMENT ul (li*)>
<!--
Element: ol
Description: Add a numbered listing; can only contain <li>'s
-->
<!ELEMENT ol (li*)>
<!--
Element: li
Description: Element of a listing
Example: <ul>
<li>This is element one</li>
<li>This is a second element</li>
</ul>
-->
<!ELEMENT li (#PCDATA)>
<!--
Element: b
Description: Bold text
Example: <b>this is bold</b>
-->
<!ELEMENT b (#PCDATA)>
<!--
Element: i
Description: Input text (blue)
Example: The user has to type in <i>ls</i> to see.
-->
<!ELEMENT i (#PCDATA)>
<!--
Element: br
Description: hard line break
Example: And then: <br/>
KABLAM!
-->
<!ELEMENT br (#PCDATA)>
<!--
Element: license
Description: Add license information
Example: <license/>
-->
<!ELEMENT license (EMPTY)>
<!--
Element: metadata
Description: Metadata information for GLSAMaker
Example: <metadata tag="approved">Level 1</metadata>
On request of plasmaroo, metadata can contain all elements again.
-->
<!ELEMENT metadata (#PCDATA|metadata)*>
<!ATTLIST metadata tag CDATA #REQUIRED
revision CDATA #IMPLIED
author CDATA #IMPLIED
timestamp CDATA #IMPLIED>
|