namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
glsa =
element glsa {
attlist.glsa,
title,
synopsis,
product,
announced,
revised,
bug*,
access?,
affected,
background?,
description,
impact,
workaround,
resolution,
references,
license?,
metadata*
}
attlist.glsa &= attribute id { text }
# Element: title
# Description: Provides a 4-5 word description about the advisory
# Example:
Buffer overflow vulnerability found in openssl-0.9.5
title = element title { attlist.title, text }
attlist.title &= empty
# Element: synopsis
# Description: Small, to-the-point description about the GLSA
#
# Example:
# rsync has an exploitable buffer overflow that can lead to
# remote compromise
#
synopsis = element synopsis { attlist.synopsis, text }
attlist.synopsis &= empty
# Element: product
# Description: Defines what type of security announcement this is.
#
# Valid types are:
# - ebuild A Portage-provided ebuild has a security
# issue
# - informational This GLSA is purely informational, no Gentoo
# system is affected
# - infrastructure The security issue involves the Gentoo
# infrastructure
#
# The text contains one keyword that defines the issue.
# Note: All type values but 'ebuild' are considered deprecated.
#
# Example: openssl
# Example: rsync mirror
product = element product { attlist.product, text }
attlist.product &=
attribute type { "ebuild" | "infrastructure" | "informational" }
# Element: announced
# Description: Date when the advisory is publicised
# The format must be "YYYY-mm-dd"
#
# Example: 2003-11-20
announced = element announced { attlist.announced, text }
attlist.announced &= empty
# Element: revised
# Description: Last revision date of the GLSA
# Attribute: @count: number of revisions
#
# Example: 2003-11-20
revised = element revised { attlist.revised, text }
attlist.revised &= [ a:defaultValue = "01" ] attribute count { text }?
# Element: bug
# Description: Number of the bug on bugs.gentoo.org, if any
# Occurrence: The bug element can occur 0, 1 or more times
#
# Example: 34200
bug = element bug { attlist.bug, text }
attlist.bug &= empty
# Element: access
# Description: Type of access necessary to exploit the security issue
# This element should only be used when product@type = 'ebuild'
# Occurrence: The access element can occur 0 or 1 time
#
# Example: Remote
access = element access { attlist.access, text }
attlist.access &= empty
# Element: affected
# Description: Describe what the affected subjects are.
#
# If product@type = 'ebuild', the child elements are 'package'
# If product@type = 'portage', the child elements are 'package'
# If product@type = 'infrastructure', the child elements are
# 'service'
#
affected = element affected { attlist.affected, (package* | service*) }
attlist.affected &= empty
# Element: package
# Description: Provide all necessary information regarded the affected
# packages. It also contains information about the affected
# architectures, if automatic updates can be done and the update
#
# The "update" attribute contains the path to the non-vulnerable
# version of the package
#
# The "auto" attribute contains either "yes" or "no" and tells
# Portage that the package can be updated automatically (to be
# implemented) without further user interaction
#
# The "arch" attribute contains either the architecture (as used
# by ACCEPT_KEYWORDS) or the "*" value (in case all
# architectures are affected)
#
# Occurrence: The package element can occur 0, 1 or more times
# Example:
# 0.9.6k
# 0.9.6k
#
package =
element package { attlist.package, (vulnerable | unaffected)* }
attlist.package &=
attribute name { text },
attribute auto { "yes" | "no" },
attribute arch { text }
# Element: vulnerable
# Description: Version of the vulnerable package. Can be a range too
vulnerable = element vulnerable { attlist.vulnerable, text }
attlist.vulnerable &=
attribute range {
"le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge"
},
[ a:defaultValue = "*" ] attribute slot { text }?
# Element: unaffected
# Description: Version of the fixed (or unaffected) package. In case the
# package is superseded by another package, you need to
# define that package using the "name" attribute.
#
# The r* range information is revision-specific. For instance,
# rge foo-1.2.3-r4 == >=foo-1.2.3-r4 && 2.0.0
unaffected = element unaffected { attlist.unaffected, text }
attlist.unaffected &=
attribute range {
"le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge"
},
[ a:defaultValue = "*" ] attribute slot { text }?,
attribute name { text }?
# Element: service
# Description: Provide information about the Gentoo services that are
# affected by the security advisory. Portage must be able
# to parse this information to make decisions (for instance,
# ignore an rsync server or a certain distfiles mirror).
#
# The type attribute can be one of "rsync", "web", "mirror".
#
# The fixed attribute (denoting if the problem has been solved)
# can be one of "yes" or "no". If not used, the default value is
# "no".
#
# Occurrence: The service element can occur 0, 1 or more times
# Example: rsync://rsync.someserver.tld/gentoo-portage
service = element service { attlist.service, text }
attlist.service &=
attribute type { "rsync" | "web" | "mirror" },
attribute fixed { "yes" | "no" }?
# Element: uri
# Description: Link to the organisation involved in releasing the advisory
# Occurrence: The uri element can occur 0, 1 or more times
#
# Example: CERT
uri = element uri { attlist.uri, text }
attlist.uri &= attribute link { text }?
# Element: mail
# Description: Mail address of the people involved in releasing the advisory
# Occurrence: The mail element can occur 0, 1 or more times
#
# Example: Some Person
mail = element mail { attlist.mail, text }
attlist.mail &= attribute link { text }
# Element: p
# Description: Plain text
# Occurrence: The "p" element can occur 0, 1 or more times and can contain
# links or addresses
#
# Example: Please update your system
p = element p { attlist.p, (text | mail | uri | b | i | br)* }
attlist.p &= empty
# Element: code
# Description: The code element contains text that should preserve whitespace
# and is therefore useful for code listings or commands
#
# Example: emerge sync
code = element code { attlist.code, text }
attlist.code &= empty
# Element: background
# Description: Provides a background of the affected package(s)/service(s)
# The background element contains only ""s in which the text
# is placed
#
background = element background { attlist.background, (p | ul | ol)* }
attlist.background &= empty
# Element: description
# Description: Provides a description about the security issue
# The description element contains only "
"s.
description =
element description { attlist.description, (p | ul | ol | code)* }
attlist.description &= empty
# Element: impact
# Description: Provides information about the impact that the security issue
# can have
#
# The "impact" element contains only "
"s.
#
# The type element gives a short term, such as
# "Denial of Service", "Buffer Overflow", ...
#
impact = element impact { attlist.impact, (p | ul | ol)* }
attlist.impact &= attribute type { text }
# Element: workaround
# Description: Provides information about how the security issue can be
# (temporarily) resolved through a work-around
#
# The "workaround" element contains only "
"s and ""s.
workaround =
element workaround { attlist.workaround, (p | code | ul | ol)* }
attlist.workaround &= empty
# Element: resolution
# Description: Provides information about how the security issue can be
# resolved.
#
# The "resolution" element contains only ""s and ""s.
resolution =
element resolution { attlist.resolution, (p | code | ul | ol)* }
attlist.resolution &= empty
# Element: references
# Description: Provides links to resources / references available online.
#
# The "reference" element contains only ""s.
references = element references { attlist.references, uri* }
attlist.references &= empty
# Element: ul
# Description: Add an unnumbered listing; can only contain 's
ul = element ul { attlist.ul, li* }
attlist.ul &= empty
# Element: ol
# Description: Add a numbered listing; can only contain 's
ol = element ol { attlist.ol, li* }
attlist.ol &= empty
# Element: li
# Description: Element of a listing
#
# Example:
# - This is element one
# - This is a second element
#
li = element li { attlist.li, text }
attlist.li &= empty
# Element: b
# Description: Bold text
#
# Example: this is bold
b = element b { attlist.b, text }
attlist.b &= empty
# Element: i
# Description: Input text (blue)
#
# Example: The user has to type in ls to see.
i = element i { attlist.i, text }
attlist.i &= empty
# Element: br
# Description: hard line break
#
# Example: And then:
# KABLAM!
br = element br { attlist.br, text }
attlist.br &= empty
# Element: license
# Description: Add license information
#
# Example:
license = element license { attlist.license, EMPTY }
attlist.license &= empty
# Element: metadata
# Description: Metadata information for GLSAMaker
#
# Example: Level 1
#
# On request of plasmaroo, metadata can contain all elements again.
metadata = element metadata { attlist.metadata, (text | metadata)* }
attlist.metadata &=
attribute tag { text },
attribute revision { text }?,
attribute author { text }?,
attribute timestamp { text }?
EMPTY |= notAllowed
start = glsa