path: root/glsa.rnc

# $Header: /var/cvsroot/gentoo/xml/htdocs/dtd/glsa.dtd,v 1.17 2008/04/04 17:04:39 neysx Exp $

namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"

glsa =
  element glsa {
    attlist.glsa,
    title,
    synopsis,
    product,
    announced,
    revised,
    bug*,
    access?,
    affected,
    background?,
    description,
    impact,
    workaround,
    resolution,
    references,
    license?,
    metadata*
  }
attlist.glsa &= attribute id { text }
# Element:      title
# Description:  Provides a 4-5 word description about the advisory 
# Example:      <title>Buffer overflow vulnerability found in openssl-0.9.5</title> 
title = element title { attlist.title, text }
attlist.title &= empty
# Element:      synopsis
# Description:  Small, to-the-point description about the GLSA
# 
# Example:  <synopsis>
#               rsync has an exploitable buffer overflow that can lead to
#               remote compromise
#           </synopsis>
synopsis = element synopsis { attlist.synopsis, text }
attlist.synopsis &= empty
# Element:      product
# Description:  Defines what type of security announcement this is.
# 
#               Valid types are:
#               - ebuild         A Portage-provided ebuild has a security 
#                                issue
#               - informational  This GLSA is purely informational, no Gentoo
#                                system is affected
#               - infrastructure The security issue involves the Gentoo 
#                                infrastructure
# 
#               The text contains one keyword that defines the issue.
#               Note: All type values but 'ebuild' are considered deprecated.
# 
# Example: <product type="ebuild">openssl</product>
# Example: <product type="infrastructure">rsync mirror</product>
product = element product { attlist.product, text }
attlist.product &=
  attribute type { "ebuild" | "infrastructure" | "informational" }
# Element:      announced
# Description:  Date when the advisory is publicised
#               The format must be "YYYY-mm-dd"
# 
# Example: <announced>2003-11-20</announced>
announced = element announced { attlist.announced, text }
attlist.announced &= empty
# Element:      revised
# Description:  Last revision date of the GLSA
# Attribute:    @count: number of revisions
# 
# Example: <revised count="02">2003-11-20</revised>
revised = element revised { attlist.revised, text }
attlist.revised &= [ a:defaultValue = "01" ] attribute count { text }?
# Element:      bug
# Description:  Number of the bug on bugs.gentoo.org, if any
# Occurrence:    The bug element can occur 0, 1 or more times
# 
# Example: <bug>34200</bug>
bug = element bug { attlist.bug, text }
attlist.bug &= empty
# Element:      access
# Description:  Type of access necessary to exploit the security issue
#               This element should only be used when product@type = 'ebuild'
# Occurrence:    The access element can occur 0 or 1 time
# 
# Example: <access>Remote</access>
access = element access { attlist.access, text }
attlist.access &= empty
# Element:      affected
# Description:  Describe what the affected subjects are.
# 
#               If product@type = 'ebuild', the child elements are 'package'
#               If product@type = 'portage', the child elements are 'package'
#               If product@type = 'infrastructure', the child elements are 
#               'service'
#
affected = element affected { attlist.affected, (package* | service*) }
attlist.affected &= empty
# Element:      package
# Description:  Provide all necessary information regarded the affected 
#               packages. It also contains information about the affected 
#               architectures, if automatic updates can be done and the update
# 
#               The "update" attribute contains the path to the non-vulnerable
#               version of the package
# 
#               The "auto" attribute contains either "yes" or "no" and tells 
#               Portage that the package can be updated automatically (to be 
#               implemented) without further user interaction
# 
#               The "arch" attribute contains either the architecture (as used
#               by ACCEPT_KEYWORDS) or the "*" value (in case all 
#               architectures are affected)
# 
# Occurrence:   The package element can occur 0, 1 or more times
# Example:      <package name="dev-libs/openssl" auto="yes" arch="*">
#                 <vulnerable range="lt">0.9.6k</vulnerable>
#                 <unaffected range="gt">0.9.6k</unaffected>
#               </package>
package =
  element package { attlist.package, (vulnerable | unaffected)* }
attlist.package &=
  attribute name { text },
  attribute auto { "yes" | "no" },
  attribute arch { text }
# Element:      vulnerable
# Description:  Version of the vulnerable package. Can be a range too
vulnerable = element vulnerable { attlist.vulnerable, text }
attlist.vulnerable &=
  attribute range {
    "le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge"
  },
  [ a:defaultValue = "*" ] attribute slot { text }?
# Element:      unaffected
# Description:  Version of the fixed (or unaffected) package. In case the 
#               package is superseded by another package, you need to
#               define that package using the "name" attribute.
# 
#               The r* range information is revision-specific. For instance, 
#               rge foo-1.2.3-r4  ==  >=foo-1.2.3-r4 && <foo-1.2.4
# 
# Example:
#               <unaffected range="gt" name="foobar">2.0.0</unaffected>
unaffected = element unaffected { attlist.unaffected, text }
attlist.unaffected &=
  attribute range {
    "le" | "lt" | "eq" | "gt" | "ge" | "rlt" | "rle" | "rgt" | "rge"
  },
  [ a:defaultValue = "*" ] attribute slot { text }?,
  attribute name { text }?
# Element:      service
# Description:  Provide information about the Gentoo services that are
#               affected by the security advisory. Portage must be able
#               to parse this information to make decisions (for instance, 
#               ignore an rsync server or a certain distfiles mirror).
# 
#               The type attribute can be one of "rsync", "web", "mirror".
# 
#               The fixed attribute (denoting if the problem has been solved)
#               can be one of "yes" or "no". If not used, the default value is
#               "no".
# 
# Occurrence:   The service element can occur 0, 1 or more times
# Example: <service type="rsync">rsync://rsync.someserver.tld/gentoo-portage</service>
service = element service { attlist.service, text }
attlist.service &=
  attribute type { "rsync" | "web" | "mirror" },
  attribute fixed { "yes" | "no" }?
# Element:      uri
# Description:  Link to the organisation involved in releasing the advisory
# Occurrence:   The uri element can occur 0, 1 or more times
# 
# Example:      <uri link="http://www.cert.org">CERT</uri>
uri = element uri { attlist.uri, text }
attlist.uri &= attribute link { text }?
# Element:      mail
# Description:  Mail address of the people involved in releasing the advisory
# Occurrence:   The mail element can occur 0, 1 or more times
# 
# Example:      <mail link="some@person.com">Some Person</mail>
mail = element mail { attlist.mail, text }
attlist.mail &= attribute link { text }
# Element:      p
# Description:  Plain text
# Occurrence:   The "p" element can occur 0, 1 or more times and can contain
#               links or addresses
# 
# Example:      <p>Please update your system</p>
p = element p { attlist.p, (text | mail | uri | b | i | br)* }
attlist.p &= empty
# Element:      code
# Description:  The code element contains text that should preserve whitespace
#               and is therefore useful for code listings or commands
# 
# Example:      <code>emerge sync</code>
code = element code { attlist.code, text }
attlist.code &= empty
# Element:      background
# Description:  Provides a background of the affected package(s)/service(s)
#               The background element contains only "<p>"s in which the text 
#               is placed
#
background = element background { attlist.background, (p | ul | ol)* }
attlist.background &= empty
# Element:      description
# Description:  Provides a description about the security issue
#               The description element contains only "<p>"s.
description =
  element description { attlist.description, (p | ul | ol | code)* }
attlist.description &= empty
# Element:      impact
# Description:  Provides information about the impact that the security issue 
#               can have
# 
#               The "impact" element contains only "<p>"s.
# 
#               The type element gives a short term, such as 
#               "Denial of Service", "Buffer Overflow", ...
#
impact = element impact { attlist.impact, (p | ul | ol)* }
attlist.impact &= attribute type { text }
# Element:      workaround
# Description:  Provides information about how the security issue can be 
#               (temporarily) resolved through a work-around
# 
#               The "workaround" element contains only "<p>"s and "<code>"s.
workaround =
  element workaround { attlist.workaround, (p | code | ul | ol)* }
attlist.workaround &= empty
# Element:      resolution
# Description:  Provides information about how the security issue can be 
#               resolved.
# 
#               The "resolution" element contains only "<p>"s and "<code>"s.
resolution =
  element resolution { attlist.resolution, (p | code | ul | ol)* }
attlist.resolution &= empty
# Element:      references
# Description:  Provides links to resources / references available online.
# 
#               The "reference" element contains only "<uri>"s.
references = element references { attlist.references, uri* }
attlist.references &= empty
# Element:      ul
# Description:  Add an unnumbered listing; can only contain <li>'s
ul = element ul { attlist.ul, li* }
attlist.ul &= empty
# Element:      ol
# Description:  Add a numbered listing; can only contain <li>'s
ol = element ol { attlist.ol, li* }
attlist.ol &= empty
# Element:      li
# Description:  Element of a listing 
# 
# Example:    <ul>
#               <li>This is element one</li>
#               <li>This is a second element</li>
#             </ul>
li = element li { attlist.li, text }
attlist.li &= empty
# Element:      b
# Description:  Bold text
# 
# Example:    <b>this is bold</b>
b = element b { attlist.b, text }
attlist.b &= empty
# Element:      i
# Description:  Input text (blue)
# 
# Example:      The user has to type in <i>ls</i> to see.
i = element i { attlist.i, text }
attlist.i &= empty
# Element:      br
# Description:  hard line break
# 
# Example:      And then: <br/> 
#               KABLAM!
br = element br { attlist.br, text }
attlist.br &= empty
# Element:      license
# Description:  Add license information
# 
# Example:      <license/>
license = element license { attlist.license, EMPTY }
attlist.license &= empty
# Element:      metadata
# Description:  Metadata information for GLSAMaker
# 
# Example:      <metadata tag="approved">Level 1</metadata>
# 
# On request of plasmaroo, metadata can contain all elements again. 
metadata = element metadata { attlist.metadata, (text | metadata)* }
attlist.metadata &=
  attribute tag { text },
  attribute revision { text }?,
  attribute author { text }?,
  attribute timestamp { text }?
EMPTY |= notAllowed
start = glsa