blob: 272d24f0eaad89342850471c8c8fabb6c441a118 [file] [log] [blame]
<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/dtd/glsa.dtd,v 1.17 2008/04/04 17:04:39 neysx Exp $ -->
<!ELEMENT glsa (title,synopsis,product,announced,revised,bug*,access?,affected,background?,description,impact,workaround,resolution,references,license?,metadata*)>
Element: title
Description: Provides a 4-5 word description about the advisory
Example: <title>Buffer overflow vulnerability found in openssl-0.9.5</title>
<!ELEMENT title (#PCDATA)>
Element: synopsis
Description: Small, to-the-point description about the GLSA
Example: <synopsis>
rsync has an exploitable buffer overflow that can lead to
remote compromise
<!ELEMENT synopsis (#PCDATA)>
Element: product
Description: Defines what type of security announcement this is.
Valid types are:
- ebuild A Portage-provided ebuild has a security
- informational This GLSA is purely informational, no Gentoo
system is affected
- infrastructure The security issue involves the Gentoo
The text contains one keyword that defines the issue.
Example: <product type="ebuild">openssl</product>
Example: <product type="infrastructure">rsync mirror</product>
<!ELEMENT product (#PCDATA)>
<!ATTLIST product type (ebuild|infrastructure|informational) #REQUIRED>
Element: announced
Description: Date when the advisory is publicised
The format must be "YYYY-mm-dd"
Example: <announced>2003-11-20</announced>
<!ELEMENT announced (#PCDATA)>
Element: revised
Description: Last revision date of the GLSA
Attribute: @count: number of revisions
Example: <revised count="02">2003-11-20</revised>
<!ELEMENT revised (#PCDATA)>
<!ATTLIST revised count CDATA "01">
Element: bug
Description: Number of the bug on, if any
Occurrence: The bug element can occur 0, 1 or more times
Example: <bug>34200</bug>
Element: access
Description: Type of access necessary to exploit the security issue
This element should only be used when product@type = 'ebuild'
Occurrence: The access element can occur 0 or 1 time
Example: <access>Remote</access>
<!ELEMENT access (#PCDATA)>
Element: affected
Description: Describe what the affected subjects are.
If product@type = 'build', the child elements are 'package'
If product@type = 'portage', the child elements are 'package'
If product@type = 'infrastructure', the child elements are
<!ELEMENT affected (package*|service*)>
Element: package
Description: Provide all necessary information regarded the affected
packages. It also contains information about the affected
architectures, if automatic updates can be done and the update
The "update" attribute contains the path to the non-vulnerable
version of the package
The "auto" attribute contains either "yes" or "no" and tells
Portage that the package can be updated automatically (to be
implemented) without further user interaction
The "arch" attribute contains either the architecture (as used
by ACCEPT_KEYWORDS) or the "*" value (in case all
architectures are affected)
Occurrence: The package element can occur 0, 1 or more times
Example: <package name="dev-libs/openssl" auto="yes" arch="*">
<vulnerable range="lt">0.9.6k</vulnerable>
<unaffected range="gt">0.9.6k</unaffected>
<!ELEMENT package (vulnerable|unaffected)*>
auto (yes|no) #REQUIRED
Element: vulnerable
Description: Version of the vulnerable package. Can be a range too
<!ELEMENT vulnerable (#PCDATA)>
<!ATTLIST vulnerable range (le|lt|eq|gt|ge|rlt|rle|rgt|rge) #REQUIRED>
Element: unaffected
Description: Version of the fixed (or unaffected) package. In case the
package is superseded by another package, you need to
define that package using the "name" attribute.
The r* range information is revision-specific. For instance,
rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && <foo-1.2.4
<unaffected range="gt" name="foobar">2.0.0</unaffected>
<!ELEMENT unaffected (#PCDATA)>
<!ATTLIST unaffected range (le|lt|eq|gt|ge|rlt|rle|rgt|rge) #REQUIRED
Element: service
Description: Provide information about the Gentoo services that are
affected by the security advisory. Portage must be able
to parse this information to make decisions (for instance,
ignore an rsync server or a certain distfiles mirror).
The type attribute can be one of "rsync", "web", "mirror".
The fixed attribute (denoting if the problem has been solved)
can be one of "yes" or "no". If not used, the default value is
Occurrence: The service element can occur 0, 1 or more times
Example: <service type="rsync">rsync://rsync.someserver.tld/gentoo-portage</service>
<!ELEMENT service (#PCDATA)>
<!ATTLIST service type (rsync|web|mirror) #REQUIRED
fixed (yes|no) #IMPLIED>
Element: uri
Description: Link to the organisation involved in releasing the advisory
Occurrence: The uri element can occur 0, 1 or more times
Example: <uri link="">CERT</uri>
Element: mail
Description: Mail address of the people involved in releasing the advisory
Occurrence: The mail element can occur 0, 1 or more times
Example: <mail link="">Some Person</mail>
Element: p
Description: Plain text
Occurrence: The "p" element can occur 0, 1 or more times and can contain
links or addresses
Example: <p>Please update your system</p>
<!ELEMENT p (#PCDATA|mail|uri|b|i|br)*>
Element: code
Description: The code element contains text that should preserve whitespace
and is therefore useful for code listings or commands
Example: <code>emerge sync</code>
Element: background
Description: Provides a background of the affected package(s)/service(s)
The background element contains only "<p>"s in which the text
is placed
<!ELEMENT background (p|ul|ol)*>
Element: description
Description: Provides a description about the security issue
The description element contains only "<p>"s.
<!ELEMENT description (p|ul|ol|code)*>
Element: impact
Description: Provides information about the impact that the security issue
can have
The "impact" element contains only "<p>"s.
The type element gives a short term, such as
"Denial of Service", "Buffer Overflow", ...
<!ELEMENT impact (p|ul|ol)*>
Element: workaround
Description: Provides information about how the security issue can be
(temporarily) resolved through a work-around
The "workaround" element contains only "<p>"s and "<code>"s.
<!ELEMENT workaround (p|code|ul|ol)*>
Element: resolution
Description: Provides information about how the security issue can be
The "resolution" element contains only "<p>"s and "<code>"s.
<!ELEMENT resolution (p|code|ul|ol)*>
Element: references
Description: Provides links to resources / references available online.
The "reference" element contains only "<uri>"s.
<!ELEMENT references (uri*)>
Element: ul
Description: Add an unnumbered listing; can only contain <li>'s
<!ELEMENT ul (li*)>
Element: ol
Description: Add a numbered listing; can only contain <li>'s
<!ELEMENT ol (li*)>
Element: li
Description: Element of a listing
Example: <ul>
<li>This is element one</li>
<li>This is a second element</li>
Element: b
Description: Bold text
Example: <b>this is bold</b>
Element: i
Description: Input text (blue)
Example: The user has to type in <i>ls</i> to see.
Element: br
Description: hard line break
Example: And then: <br/>
Element: license
Description: Add license information
Example: <license/>
<!ELEMENT license (EMPTY)>
Element: metadata
Description: Metadata information for GLSAMaker
Example: <metadata tag="approved">Level 1</metadata>
On request of plasmaroo, metadata can contain all elements again.
<!ELEMENT metadata (#PCDATA|metadata)*>
timestamp CDATA #IMPLIED>