about summary refs log tree commit diff
path: root/advisories/README
diff options
context:
space:
mode:
Diffstat (limited to 'advisories/README')
-rw-r--r--advisories/README73
1 files changed, 73 insertions, 0 deletions
diff --git a/advisories/README b/advisories/README
new file mode 100644
index 0000000000..94e68b1350
--- /dev/null
+++ b/advisories/README
@@ -0,0 +1,73 @@
+GNU C Library Security Advisory Format
+======================================
+
+Security advisories in this directory follow a simple git commit log
+format, with a heading and free-format description augmented with tags
+to allow parsing key information.  References to code changes are
+specific to the glibc repository and follow a specific format:
+
+  Tag-name: <commit-ref> (release-version)
+
+The <commit-ref> indicates a specific commit in the repository.  The
+release-version indicates the publicly consumable release in which this
+commit is known to exist.  The release-version is derived from the
+git-describe format, (i.e. stripped out from glibc-2.34.NNN-gxxxx) and
+is of the form 2.34-NNN.  If the -NNN suffix is absent, it means that
+the change is in that release tarball, otherwise the change is on the
+release/2.YY/master branch and not in any released tarball.
+
+The following tags are currently being used:
+
+CVE-Id:
+This is the CVE-Id assigned under the CVE Program
+(https://www.cve.org/).
+
+Public-Date:
+The date this issue became publicly known.
+
+Vulnerable-Commit:
+The commit that introduced this vulnerability.  There could be multiple
+entries, one for each release branch in the glibc repository; the
+release-version portion of this tag should tell you which branch this is
+on.
+
+Fix-Commit:
+The commit that fixed this vulnerability.  There could be multiple
+entries for each release branch in the glibc repository, indicating that
+all of those commits contributed to fixing that issue in each of those
+branches.
+
+Adding an Advisory
+------------------
+
+An advisory for a CVE needs to be added on the master branch in two steps:
+
+1. Add the text of the advisory without any Fix-Commit tags along with
+   the fix for the CVE.  Add the Vulnerable-Commit tag, if applicable.
+   The advisories directory does not exist in release branches, so keep
+   the advisory text commit distinct from the code changes, to ease
+   backports.  Ask for the GLIBC-SA advisory number from the security
+   team.
+
+2. Finish all backports on release branches and then back on the msater
+   branch, add all commit refs to the advisory using the Fix-Commit
+   tags.  Don't bother adding the release-version subscript since the
+   next step will overwrite it.
+
+3. Run the process-advisories.sh script in the scripts directory on the
+   advisory:
+
+     scripts/process-advisories.sh update GLIBC-SA-YYYY-NNNN
+
+   (replace YYYY-NNNN with the actual advisory number).
+
+4. Verify the updated advisory and push the result.
+
+Getting a NEWS snippet from advisories
+--------------------------------------
+
+Run:
+
+  scripts/process-advisories.sh news
+
+and copy the content into the NEWS file.
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-11 23:51:29 +0000