summaryrefslogtreecommitdiff
blob: e3bf980dcf28005764ec79fe01217b558131b17d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
<!ELEMENT glsa  (title,synopsis,product,announced,revised,bug*,access?,affected,background?,description,impact,workaround,resolution,references,license?,metadata*)>
<!ATTLIST glsa  id  CDATA   #REQUIRED>

<!--
    Element:      title
    Description:  Provides a 4-5 word description about the advisory
    Example:      <title>Buffer overflow vulnerability found in openssl-0.9.5</title>
-->
<!ELEMENT title  (#PCDATA)>

<!--
    Element:      synopsis
    Description:  Small, to-the-point description about the GLSA

    Example:  <synopsis>
                  rsync has an exploitable buffer overflow that can lead to
                  remote compromise
              </synopsis>
-->
<!ELEMENT synopsis   (#PCDATA)>

<!--
    Element:      product
    Description:  Defines what type of security announcement this is.

                  Valid types are:
                  - ebuild         A Portage-provided ebuild has a security
                                   issue
                  - informational  This GLSA is purely informational, no Gentoo
                                   system is affected
                  - infrastructure The security issue involves the Gentoo
                                   infrastructure

                  The text contains one keyword that defines the issue.
                  Note: All type values but 'ebuild' are considered deprecated.

    Example: <product type="ebuild">openssl</product>
    Example: <product type="infrastructure">rsync mirror</product>
-->
<!ELEMENT product   (#PCDATA)>
<!ATTLIST product   type    (ebuild|infrastructure|informational) #REQUIRED>

<!--
    Element:      announced
    Description:  Date when the advisory is publicised
                  The format must be "YYYY-mm-dd"

    Example: <announced>2003-11-20</announced>
-->
<!ELEMENT announced (#PCDATA)>

<!--
    Element:      revised
    Description:  Last revision date of the GLSA
    Attribute:    @count: number of revisions

    Example: <revised count="02">2003-11-20</revised>
-->
<!ELEMENT revised (#PCDATA)>
<!ATTLIST revised count CDATA "01">

<!--
    Element:      bug
    Description:  Number of the bug on bugs.gentoo.org, if any
    Occurrence:    The bug element can occur 0, 1 or more times

    Example: <bug>34200</bug>
-->
<!ELEMENT bug       (#PCDATA)>

<!--
    Element:      access
    Description:  Type of access necessary to exploit the security issue
                  This element should only be used when product@type = 'ebuild'
    Occurrence:    The access element can occur 0 or 1 time

    Example: <access>Remote</access>
-->
<!ELEMENT access    (#PCDATA)>

<!--
    Element:      affected
    Description:  Describe what the affected subjects are.

                  If product@type = 'ebuild', the child elements are 'package'
                  If product@type = 'portage', the child elements are 'package'
                  If product@type = 'infrastructure', the child elements are
                  'service'

-->
<!ELEMENT affected  (package*|service*)>

<!--
    Element:      package
    Description:  Provide all necessary information regarded the affected
                  packages. It also contains information about the affected
                  architectures, if automatic updates can be done and the update

                  The "update" attribute contains the path to the non-vulnerable
                  version of the package

                  The "auto" attribute contains either "yes" or "no" and tells
                  Portage that the package can be updated automatically (to be
                  implemented) without further user interaction

                  The "arch" attribute contains either the architecture (as used
                  by ACCEPT_KEYWORDS) or the "*" value (in case all
                  architectures are affected)

    Occurrence:   The package element can occur 0, 1 or more times
    Example:      <package name="dev-libs/openssl" auto="yes" arch="*">
                    <vulnerable range="lt">0.9.6k</vulnerable>
                    <unaffected range="gt">0.9.6k</unaffected>
                  </package>
-->
<!ELEMENT package (vulnerable|unaffected)*>
<!ATTLIST package name      CDATA           #REQUIRED
                  auto      (yes|no)    #REQUIRED
                  arch      CDATA           #REQUIRED>

<!--
    Element:      vulnerable
    Description:  Version of the vulnerable package. Can be a range too
-->
<!ELEMENT vulnerable (#PCDATA)>
<!ATTLIST vulnerable range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
                     slot       CDATA                 "*">

<!--
    Element:      unaffected
    Description:  Version of the fixed (or unaffected) package. In case the
                  package is superseded by another package, you need to
                  define that package using the "name" attribute.

                  The r* range information is revision-specific. For instance,
                  rge foo-1.2.3-r4  ==  >=foo-1.2.3-r4 && <foo-1.2.4

    Example:
                  <unaffected range="gt" name="foobar">2.0.0</unaffected>
-->
<!ELEMENT unaffected (#PCDATA)>
<!ATTLIST unaffected range      (le|lt|eq|gt|ge|rlt|rle|rgt|rge)      #REQUIRED
                     slot       CDATA                 "*"
                     name       CDATA                 #IMPLIED>

<!--
    Element:      service
    Description:  Provide information about the Gentoo services that are
                  affected by the security advisory. Portage must be able
                  to parse this information to make decisions (for instance,
                  ignore an rsync server or a certain distfiles mirror).

                  The type attribute can be one of "rsync", "web", "mirror".

                  The fixed attribute (denoting if the problem has been solved)
                  can be one of "yes" or "no". If not used, the default value is
                  "no".

    Occurrence:   The service element can occur 0, 1 or more times
    Example: <service type="rsync">rsync://rsync.someserver.tld/gentoo-portage</service>
-->
<!ELEMENT service (#PCDATA)>
<!ATTLIST service type (rsync|web|mirror) #REQUIRED
                  fixed (yes|no)          #IMPLIED>

<!--
    Element:      uri
    Description:  Link to the organisation involved in releasing the advisory
    Occurrence:   The uri element can occur 0, 1 or more times

    Example:      <uri link="http://www.cert.org">CERT</uri>
-->
<!ELEMENT uri       (#PCDATA)>
<!ATTLIST uri     link  CDATA   #IMPLIED>

<!--
    Element:      mail
    Description:  Mail address of the people involved in releasing the advisory
    Occurrence:   The mail element can occur 0, 1 or more times

    Example:      <mail link="some@person.com">Some Person</mail>
-->
<!ELEMENT mail      (#PCDATA)>
<!ATTLIST mail    link  CDATA   #REQUIRED>

<!--
    Element:      p
    Description:  Plain text
    Occurrence:   The "p" element can occur 0, 1 or more times and can contain
                  links or addresses

    Example:      <p>Please update your system</p>
-->
<!ELEMENT p (#PCDATA|mail|uri|b|i|br)*>

<!--
    Element:      code
    Description:  The code element contains text that should preserve whitespace
                  and is therefore useful for code listings or commands

    Example:      <code>emerge sync</code>
-->
<!ELEMENT code (#PCDATA)>

<!--
    Element:      background
    Description:  Provides a background of the affected package(s)/service(s)
                  The background element contains only "<p>"s in which the text
                  is placed

-->
<!ELEMENT background  (p|ul|ol)*>

<!--
    Element:      description
    Description:  Provides a description about the security issue
                  The description element contains only "<p>"s.
-->
<!ELEMENT description (p|ul|ol|code)*>

<!--
    Element:      impact
    Description:  Provides information about the impact that the security issue
                  can have

                  The "impact" element contains only "<p>"s.

                  The type element gives a short term, such as
                  "Denial of Service", "Buffer Overflow", ...

-->
<!ELEMENT impact    (p|ul|ol)*>
<!ATTLIST impact    type    CDATA   #REQUIRED>

<!--
    Element:      workaround
    Description:  Provides information about how the security issue can be
                  (temporarily) resolved through a work-around

                  The "workaround" element contains only "<p>"s and "<code>"s.
-->
<!ELEMENT workaround    (p|code|ul|ol)*>

<!--
    Element:      resolution
    Description:  Provides information about how the security issue can be
                  resolved.

                  The "resolution" element contains only "<p>"s and "<code>"s.
-->
<!ELEMENT resolution  (p|code|ul|ol)*>

<!--
    Element:      references
    Description:  Provides links to resources / references available online.

                  The "reference" element contains only "<uri>"s.
-->
<!ELEMENT references    (uri*)>

<!--
    Element:      ul
    Description:  Add an unnumbered listing; can only contain <li>'s
-->
<!ELEMENT ul            (li*)>

<!--
    Element:      ol
    Description:  Add a numbered listing; can only contain <li>'s
-->
<!ELEMENT ol            (li*)>

<!--
    Element:      li
    Description:  Element of a listing

    Example:    <ul>
                  <li>This is element one</li>
                  <li>This is a second element</li>
                </ul>
-->
<!ELEMENT li            (#PCDATA)>

<!--
    Element:      b
    Description:  Bold text

    Example:    <b>this is bold</b>
-->
<!ELEMENT b             (#PCDATA)>

<!--
    Element:      i
    Description:  Input text (blue)

    Example:      The user has to type in <i>ls</i> to see.
-->
<!ELEMENT i             (#PCDATA)>

<!--
    Element:      br
    Description:  hard line break

    Example:      And then: <br/>
                  KABLAM!
-->
<!ELEMENT br            (#PCDATA)>

<!--
    Element:      license
    Description:  Add license information

    Example:      <license/>
-->
<!ELEMENT license       (EMPTY)>

<!--
    Element:      metadata
    Description:  Metadata information for GLSAMaker

    Example:      <metadata tag="approved">Level 1</metadata>

    On request of plasmaroo, metadata can contain all elements again.
-->
<!ELEMENT metadata  (#PCDATA|metadata)*>
<!ATTLIST metadata tag      CDATA #REQUIRED
                   revision CDATA #IMPLIED
                   author   CDATA #IMPLIED
                   timestamp CDATA #IMPLIED>