[Secure-testing-commits] r27515 - doc/security-team.d.o

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sat Jun 28 07:59:59 UTC 2014 

Author: carnil
Date: 2014-06-28 07:59:59 +0000 (Sat, 28 Jun 2014)
New Revision: 27515

Modified:
   doc/security-team.d.o/security_tracker
Log:
Indent to the position used in the file

Modified: doc/security-team.d.o/security_tracker
===================================================================
--- doc/security-team.d.o/security_tracker	2014-06-28 07:47:20 UTC (rev 27514)
+++ doc/security-team.d.o/security_tracker	2014-06-28 07:59:59 UTC (rev 27515)
@@ -130,7 +130,7 @@
 Example:
 
     CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of service ...)
-       NOT-FOR-US: Safari
+            NOT-FOR-US: Safari
 
 Before marking a package NFU, the following should be done:
 
@@ -168,7 +168,7 @@
 example:
 
     CVE-2005-2596 (User.php in Gallery, as used in Postnuke, allows users with any Admin ...)
-       - gallery 1.5-2 (medium)
+            - gallery 1.5-2 (medium)
 
 Even if the CVE description mentions it is fixed as of a particular
 version, double-check the Debian package yourself (because sometimes 
@@ -180,8 +180,8 @@
 (again with a severity level):
 
     CVE-2005-3054 (fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not ...)
-       - php4 <unfixed> (bug #353585; medium)
-       - php5 <unfixed> (bug #353585; medium)
+            - php4 <unfixed> (bug #353585; medium)
+            - php5 <unfixed> (bug #353585; medium)
 
 Bug numbers can be added as in the example above. To avoid duplicate bugs,
 `bug filed` can be added instead of `bug #123456` when the bug report has
@@ -212,7 +212,7 @@
 code is not contained, it is marked as <not-affected>:
 
     CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...)
-        - thttpd <not-affected> (Windows-specific vulnerabilities)
+            - thttpd <not-affected> (Windows-specific vulnerabilities)
 
 `<not-affected>` is also used if a vulnerability was fixed before a
 package was uploaded into the Debian archive.
@@ -237,9 +237,9 @@
 entry is:
 
     CVE-2011-2351 (Use-after-free vulnerability in Google Chrome before 12.0.742.112 ...)
-        - chromium-browser 12.0.742.112~r90304-1
-        - webkit <undetermined>
-        NOTE: webkit commit #123456
+            - chromium-browser 12.0.742.112~r90304-1
+            - webkit <undetermined>
+            NOTE: webkit commit #123456
 
 The list of all of currently undetermined issues is aggregated [by the tracker](http://security-tracker.debian.org/tracker/status/undetermined).
 This is a good place for new contributors to get started since these
@@ -260,7 +260,7 @@
 An example entry for an ITP/RFP package is:
 
     CVE-2004-2525 (Cross-site scripting (XSS) vulnerability in compat.php in Serendipity ...)
-        - serendipity <itp> (bug #312413)
+            - serendipity <itp> (bug #312413)
 
 ### Reserved entries
 
@@ -271,7 +271,7 @@
 are marked as `RESERVED` in the tracker:
 
     CVE-2005-1432
-        RESERVED
+            RESERVED
 
 ### Rejected entries
 
@@ -280,7 +280,7 @@
 entries:
 
     CVE-2005-4129
-        REJECTED
+            REJECTED
 
 ### <a id="removed">Removed packages</a>
 
@@ -290,7 +290,7 @@
 the `<removed>` tag:
 
     CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
-        - openwebmail <removed>
+            - openwebmail <removed>
 
 Also note that it is sufficient to mark a package as removed in unstable.
 The tracker is aware of which package is present in which distribution
@@ -319,10 +319,10 @@
 (old-)stable release are marked with the end-of-life tag:
 
     CVE-2011-3973 (cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 ...)
-        {DSA-2336-1}
-        - libav 4:0.7.1-7 (bug #641478)
-        - ffmpeg <removed>
-        - ffmpeg-debian <end-of-life>
+            {DSA-2336-1}
+            - libav 4:0.7.1-7 (bug #641478)
+            - ffmpeg <removed>
+            - ffmpeg-debian <end-of-life>
 
 
 #### <a id="NoteTodo">`NOTE` and `TODO` entries</a>
@@ -333,16 +333,16 @@
 descriptive so that it is clear what remains to be done. For example:
 
     CVE-2005-3990 (Directory traversal vulnerability in FastJar 0.93 allows remote ...)
-        TODO: check, whether fastjar from the gcc source packages is affected
+            TODO: check, whether fastjar from the gcc source packages is affected
 
 If you are not sure about some decision (e.g. which package is affected) or
 triaging (e.g. bug severity) you can leave a TODO note for reviewing, 
 explaining which aspect have to be reviewed. For example:
 
     CVE-2013-7295 (Tor before 0.2.4.20, when OpenSSL 1.x is used in ...)
-        - tor 0.2.4.20-1 (low)
-        [wheezy] - tor <no-dsa> (Minor issue)
-        TODO: review, severity. The exploitation scenario is too complicated.
+            - tor 0.2.4.20-1 (low)
+            [wheezy] - tor <no-dsa> (Minor issue)
+            TODO: review, severity. The exploitation scenario is too complicated.
 
 It is also useful to add information to issues as you find it, so that
 when others go to look at an issue and want to know why you marked it
@@ -353,9 +353,9 @@
 the Debian package:
 
     CVE-2005-3258 (The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and ...)
-        - squid <not-affected> (bug #334882; medium)
-        NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
-        NOTE: this patch was never applied to the Debian package.
+            - squid <not-affected> (bug #334882; medium)
+            NOTE: Bug was introduced in a patch to squid-2.5.STABLE10,
+            NOTE: this patch was never applied to the Debian package.
 
 Severity levels
 ---------------
@@ -408,8 +408,8 @@
 In the meantime, you can add an entry of the form
 
     CVE-2009-XXXX [optipng array overflow]
-        - optipng 0.6.2.1-1 (low)
-        NOTE: http://secunia.com/advisories/34035/
+            - optipng 0.6.2.1-1 (low)
+            NOTE: http://secunia.com/advisories/34035/
 
 It is desirable to include references
 which uniquely identify the issue, such as a permanent link to an
@@ -441,8 +441,8 @@
 for the version of a package in a specific release. An example:
 
     CVE-2005-3974 (Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on ...)
-        - drupal 4.5.6-1 (low)
-        [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
+            - drupal 4.5.6-1 (low)
+            [sarge] - drupal <not-affected> (Only vulnerable if running PHP 5)
 
 Drupal has been fixed since 4.5.6, however Drupal from Sarge still isn't
 vulnerable as the vulnerability is only effective when run under PHP 5,
@@ -497,10 +497,10 @@
 entry for a DSA looks like this:
 
     [21 Nov 2005] DSA-903-1 unzip - race condition
-        {CVE-2005-2475}
-        [woody] - unzip 5.50-1woody4
-        [sarge] - unzip 5.52-1sarge2
-        NOTE: fixed in testing at time of DSA
+            {CVE-2005-2475}
+            [woody] - unzip 5.50-1woody4
+            [sarge] - unzip 5.52-1sarge2
+            NOTE: fixed in testing at time of DSA
 
 The first line tracks the date, when a DSA was issued, the DSA
 identifier, the affected source package and the type of vulnerability.

More information about the Secure-testing-commits mailing list