[Secure-testing-commits] r56743 - doc/security-team.d.o
Raphael Geissert
geissert at moszumanska.debian.org
Mon Oct 16 10:23:49 UTC 2017
Author: geissert
Date: 2017-10-16 10:23:49 +0000 (Mon, 16 Oct 2017)
New Revision: 56743
Modified:
doc/security-team.d.o/security_tracker
Log:
corrections related to CVE id requests and an obsolete note
Modified: doc/security-team.d.o/security_tracker
===================================================================
--- doc/security-team.d.o/security_tracker 2017-10-16 10:01:11 UTC (rev 56742)
+++ doc/security-team.d.o/security_tracker 2017-10-16 10:23:49 UTC (rev 56743)
@@ -441,9 +441,8 @@
### Vulnerabilities without an assigned CVE id
-If you learn of a vulnerability to which no CVE id has been assigned yet, you can request one.
-To request a CVE for public issues, you can
-[write to the moderated oss-security list](https://github.com/RedHatProductSecurity/CVE-HOWTO).
+If you learn of a vulnerability to which no CVE id has been assigned yet, you can
+[request one](https://github.com/RedHatProductSecurity/CVE-HOWTO).
In the meantime, you can add an entry of the form
CVE-2009-XXXX [optipng array overflow]
@@ -468,6 +467,10 @@
<team at security.debian.org> and include a description which follows CVE
conventions.
+The vulnerabilities must be announced at a later point. This is a
+requirement by MITRE and can be fulfilled by, for instance, sending an
+announcement to the [oss-security mailing list](glossary.html#oss-sec).
+
Distribution tags
-----------------
@@ -549,9 +552,7 @@
is added like this to `DSA/list` is parsed by a script and automatically
added to `CVE/list`. The next lines contain the fixes for stable and
optionally oldstable, addressed with distribution tags. You may add
-`NOTE:` entries freely, we use a `NOTE` entry for statistical purposes
-that tracks when a fix has reached testing relative to the time when
-it hit stable.
+`NOTE:` entries freely.
There is no need to add anything to `CVE/list` for a DSA, the DSA
cross-reference will be added automatically by the cron job. However,
More information about the Secure-testing-commits
mailing list