Author: geissert Date: 2017-10-16 10:23:49 +0000 (Mon, 16 Oct 2017) New Revision: 56743
Modified: doc/security-team.d.o/security_tracker Log: corrections related to CVE id requests and an obsolete note Modified: doc/security-team.d.o/security_tracker =================================================================== --- doc/security-team.d.o/security_tracker 2017-10-16 10:01:11 UTC (rev 56742) +++ doc/security-team.d.o/security_tracker 2017-10-16 10:23:49 UTC (rev 56743) @@ -441,9 +441,8 @@ ### Vulnerabilities without an assigned CVE id -If you learn of a vulnerability to which no CVE id has been assigned yet, you can request one. -To request a CVE for public issues, you can -[write to the moderated oss-security list](https://github.com/RedHatProductSecurity/CVE-HOWTO). +If you learn of a vulnerability to which no CVE id has been assigned yet, you can +[request one](https://github.com/RedHatProductSecurity/CVE-HOWTO). In the meantime, you can add an entry of the form CVE-2009-XXXX [optipng array overflow] @@ -468,6 +467,10 @@ <t...@security.debian.org> and include a description which follows CVE conventions. +The vulnerabilities must be announced at a later point. This is a +requirement by MITRE and can be fulfilled by, for instance, sending an +announcement to the [oss-security mailing list](glossary.html#oss-sec). + Distribution tags ----------------- @@ -549,9 +552,7 @@ is added like this to `DSA/list` is parsed by a script and automatically added to `CVE/list`. The next lines contain the fixes for stable and optionally oldstable, addressed with distribution tags. You may add -`NOTE:` entries freely, we use a `NOTE` entry for statistical purposes -that tracks when a fix has reached testing relative to the time when -it hit stable. +`NOTE:` entries freely. There is no need to add anything to `CVE/list` for a DSA, the DSA cross-reference will be added automatically by the cron job. However, _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
