namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0" glsa = element glsa { attlist.glsa, title, synopsis, product, announced, revised, bug*, access?, affected, background?, description, impact, workaround, resolution, references, license?, metadata* } attlist.glsa &= attribute id { text } # Element: title # Description: Provides a 4-5 word description about the advisory # Example: Buffer overflow vulnerability found in openssl-0.9.5 title = element title { attlist.title, text } attlist.title &= empty # Element: synopsis # Description: Small, to-the-point description about the GLSA # # Example: # rsync has an exploitable buffer overflow that can lead to # remote compromise # synopsis = element synopsis { attlist.synopsis, text } attlist.synopsis &= empty # Element: product # Description: Defines what type of security announcement this is. # # Valid types are: # - ebuild A Portage-provided ebuild has a security # issue # - informational This GLSA is purely informational, no Gentoo # system is affected # - infrastructure The security issue involves the Gentoo # infrastructure # # The text contains one keyword that defines the issue. # Note: All type values but 'ebuild' are considered deprecated. # # Example: openssl # Example: rsync mirror product = element product { attlist.product, text } attlist.product &= attribute type { "ebuild" | "infrastructure" | "informational" } # Element: announced # Description: Date when the advisory is publicised # The format must be "YYYY-mm-dd" # # Example: 2003-11-20 announced = element announced { attlist.announced, text } attlist.announced &= empty # Element: revised # Description: Last revision date of the GLSA # Attribute: @count: number of revisions # # Example: 2003-11-20 revised = element revised { attlist.revised, text } attlist.revised &= [ a:defaultValue = "01" ] attribute count { text }? # Element: bug # Description: Number of the bug on bugs.gentoo.org, if any # Occurrence: The bug element can occur 0, 1 or more times # # Example: 34200 bug = element bug { attlist.bug, text } attlist.bug &= empty # Element: access # Description: Type of access necessary to exploit the security issue # This element should only be used when product@type = 'ebuild' # Occurrence: The access element can occur 0 or 1 time # # Example: Remote access = element access { attlist.access, text } attlist.access &= empty # Element: affected # Description: Describe what the affected subjects are. # # If product@type = 'ebuild', the child elements are 'package' # If product@type = 'portage', the child elements are 'package' # If product@type = 'infrastructure', the child elements are # 'service' # affected = element affected { attlist.affected, (package* | service*) } attlist.affected &= empty # Element: package # Description: Provide all necessary information regarded the affected # packages. It also contains information about the affected # architectures, if automatic updates can be done and the update # # The "update" attribute contains the path to the non-vulnerable # version of the package # # The "auto" attribute contains either "yes" or "no" and tells # Portage that the package can be updated automatically (to be # implemented) without further user interaction # # The "arch" attribute contains either the architecture (as used # by ACCEPT_KEYWORDS) or the "*" value (in case all # architectures are affected) # # Occurrence: The package element can occur 0, 1 or more times # Example: # 0.9.6k # 0.9.6k # package = element package { attlist.package, (vulnerable | unaffected)* } attlist.package &= attribute name { text }, attribute auto { "yes" | "no" }, attribute arch { text } # Element: vulnerable # Description: Version of the vulnerable package. Can be a range too vulnerable = element vulnerable { attlist.vulnerable, text } attlist.vulnerable &= attribute range { "le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge" }, [ a:defaultValue = "*" ] attribute slot { text }? # Element: unaffected # Description: Version of the fixed (or unaffected) package. In case the # package is superseded by another package, you need to # define that package using the "name" attribute. # # The r* range information is revision-specific. For instance, # rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && 2.0.0 unaffected = element unaffected { attlist.unaffected, text } attlist.unaffected &= attribute range { "le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge" }, [ a:defaultValue = "*" ] attribute slot { text }?, attribute name { text }? # Element: service # Description: Provide information about the Gentoo services that are # affected by the security advisory. Portage must be able # to parse this information to make decisions (for instance, # ignore an rsync server or a certain distfiles mirror). # # The type attribute can be one of "rsync", "web", "mirror". # # The fixed attribute (denoting if the problem has been solved) # can be one of "yes" or "no". If not used, the default value is # "no". # # Occurrence: The service element can occur 0, 1 or more times # Example: rsync://rsync.someserver.tld/gentoo-portage service = element service { attlist.service, text } attlist.service &= attribute type { "rsync" | "web" | "mirror" }, attribute fixed { "yes" | "no" }? # Element: uri # Description: Link to the organisation involved in releasing the advisory # Occurrence: The uri element can occur 0, 1 or more times # # Example: CERT uri = element uri { attlist.uri, text } attlist.uri &= attribute link { text }? # Element: mail # Description: Mail address of the people involved in releasing the advisory # Occurrence: The mail element can occur 0, 1 or more times # # Example: Some Person mail = element mail { attlist.mail, text } attlist.mail &= attribute link { text } # Element: p # Description: Plain text # Occurrence: The "p" element can occur 0, 1 or more times and can contain # links or addresses # # Example:

Please update your system

p = element p { attlist.p, (text | mail | uri | b | i | br)* } attlist.p &= empty # Element: code # Description: The code element contains text that should preserve whitespace # and is therefore useful for code listings or commands # # Example: emerge sync code = element code { attlist.code, text } attlist.code &= empty # Element: background # Description: Provides a background of the affected package(s)/service(s) # The background element contains only "

"s in which the text # is placed # background = element background { attlist.background, (p | ul | ol)* } attlist.background &= empty # Element: description # Description: Provides a description about the security issue # The description element contains only "

"s. description = element description { attlist.description, (p | ul | ol | code)* } attlist.description &= empty # Element: impact # Description: Provides information about the impact that the security issue # can have # # The "impact" element contains only "

"s. # # The type element gives a short term, such as # "Denial of Service", "Buffer Overflow", ... # impact = element impact { attlist.impact, (p | ul | ol)* } attlist.impact &= attribute type { text } # Element: workaround # Description: Provides information about how the security issue can be # (temporarily) resolved through a work-around # # The "workaround" element contains only "

"s and ""s. workaround = element workaround { attlist.workaround, (p | code | ul | ol)* } attlist.workaround &= empty # Element: resolution # Description: Provides information about how the security issue can be # resolved. # # The "resolution" element contains only "

"s and ""s. resolution = element resolution { attlist.resolution, (p | code | ul | ol)* } attlist.resolution &= empty # Element: references # Description: Provides links to resources / references available online. # # The "reference" element contains only ""s. references = element references { attlist.references, uri* } attlist.references &= empty # Element: ul # Description: Add an unnumbered listing; can only contain

  • 's ul = element ul { attlist.ul, li* } attlist.ul &= empty # Element: ol # Description: Add a numbered listing; can only contain
  • 's ol = element ol { attlist.ol, li* } attlist.ol &= empty # Element: li # Description: Element of a listing # # Example:
      #
    • This is element one
    • #
    • This is a second element
    • #
    li = element li { attlist.li, text } attlist.li &= empty # Element: b # Description: Bold text # # Example: this is bold b = element b { attlist.b, text } attlist.b &= empty # Element: i # Description: Input text (blue) # # Example: The user has to type in ls to see. i = element i { attlist.i, text } attlist.i &= empty # Element: br # Description: hard line break # # Example: And then:
    # KABLAM! br = element br { attlist.br, text } attlist.br &= empty # Element: license # Description: Add license information # # Example: license = element license { attlist.license, EMPTY } attlist.license &= empty # Element: metadata # Description: Metadata information for GLSAMaker # # Example: Level 1 # # On request of plasmaroo, metadata can contain all elements again. metadata = element metadata { attlist.metadata, (text | metadata)* } attlist.metadata &= attribute tag { text }, attribute revision { text }?, attribute author { text }?, attribute timestamp { text }? EMPTY |= notAllowed start = glsa