1<!-- 2Vulnerability and eXposure Markup Language (VuXML) version 1.0. 3 4Namespace = http://www.vuxml.org/apps/vuxml-1 5 6This DTD module is identified by the PUBLIC and SYSTEM identifiers: 7 8PUBLIC "-//vuxml.org//ELEMENTS VuXML 1.0 Document Model//EN" 9SYSTEM "http://www.vuxml.org/dtd/vuxml-1/vuxml-model-10.mod" 10 11Copyright (c) 2004 Jacques A. Vidrine 12All rights reserved. 13 14Redistribution and use in source and binary forms, with or without 15modification, are permitted provided that the following conditions 16are met: 171. Redistributions of source code must retain the above copyright 18 notice, this list of conditions and the following disclaimer. 192. Redistributions in binary form must reproduce the above copyright 20 notice, this list of conditions and the following disclaimer in the 21 documentation and/or other materials provided with the distribution. 22 23THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33SUCH DAMAGE. 34--> 35<!-- 36The current version of VuXML is 1.0. The minor version number 37will be bumped for any non-incompatible changes that are 38made to the document model. Incompatible changes will be 39accompanied by a change in the major version number, as well 40as a change in the XML namespace. 41--> 42<!ENTITY % vuxml.version "1.0" > 43<!ENTITY % vuxml.version.attrib "version CDATA #FIXED '%vuxml.version;'" > 44 45<!-- namespace support --> 46<!ENTITY % vuxml.xmlns.attrib "%NS.decl.attrib;" > 47<!ENTITY % vuxml.Common.attrib "%vuxml.xmlns.attrib; id ID #IMPLIED" > 48 49<!-- Qualified names --> 50<!ENTITY % vuxml.vuxml.qname "%vuxml.pfx;vuxml" > 51<!ENTITY % vuxml.vuln.qname "%vuxml.pfx;vuln" > 52<!ENTITY % vuxml.topic.qname "%vuxml.pfx;topic" > 53<!ENTITY % vuxml.affects.qname "%vuxml.pfx;affects" > 54<!ENTITY % vuxml.package.qname "%vuxml.pfx;package" > 55<!ENTITY % vuxml.system.qname "%vuxml.pfx;system" > 56<!ENTITY % vuxml.name.qname "%vuxml.pfx;name" > 57<!ENTITY % vuxml.range.qname "%vuxml.pfx;range" > 58<!ENTITY % vuxml.lt.qname "%vuxml.pfx;lt" > 59<!ENTITY % vuxml.le.qname "%vuxml.pfx;le" > 60<!ENTITY % vuxml.gt.qname "%vuxml.pfx;gt" > 61<!ENTITY % vuxml.ge.qname "%vuxml.pfx;ge" > 62<!ENTITY % vuxml.eq.qname "%vuxml.pfx;eq" > 63<!ENTITY % vuxml.description.qname "%vuxml.pfx;description" > 64<!ENTITY % vuxml.references.qname "%vuxml.pfx;references" > 65<!ENTITY % vuxml.url.qname "%vuxml.pfx;url" > 66<!ENTITY % vuxml.cvename.qname "%vuxml.pfx;cvename" > 67<!ENTITY % vuxml.freebsdsa.qname "%vuxml.pfx;freebsdsa" > 68<!ENTITY % vuxml.bid.qname "%vuxml.pfx;bid" > 69<!ENTITY % vuxml.certsa.qname "%vuxml.pfx;certsa" > 70<!ENTITY % vuxml.certvu.qname "%vuxml.pfx;certvu" > 71<!ENTITY % vuxml.dates.qname "%vuxml.pfx;dates" > 72<!ENTITY % vuxml.discovery.qname "%vuxml.pfx;discovery" > 73<!ENTITY % vuxml.entry.qname "%vuxml.pfx;entry" > 74<!ENTITY % vuxml.modified.qname "%vuxml.pfx;modified" > 75 76 77<!-- Elements and Structure --> 78 79<!-- 80The top level element is the `vuxml' element, 81which contains individual `vuln' entries. The `version' 82attribute specifies the document model in use. For the 83current version of VuXML, this should be 84 85 <vuxml version="1.0">...</vuxml> 86--> 87<!ELEMENT %vuxml.vuxml.qname; ( %vuxml.vuln.qname; )* > 88<!ATTLIST %vuxml.vuxml.qname; 89 %vuxml.version.attrib; 90 %vuxml.Common.attrib; 91> 92 93<!-- 94Each `vuln' element represents a single security 95vulnerability and is assigned a UUID as a unique key, which 96is given by the mandatory `vid' attribute in string format. 97 98Example. 99 100 <vuln vid="7cd910e7-327f-11d8-af8b-000a95c4d922"> 101 ... 102 </vuln> 103--> 104<!ELEMENT %vuxml.vuln.qname; 105 ( %vuxml.topic.qname;, 106 %vuxml.affects.qname;, 107 %vuxml.description.qname;, 108 %vuxml.references.qname;, 109 %vuxml.dates.qname; ) 110> 111<!ATTLIST %vuxml.vuln.qname; 112 vid CDATA #REQUIRED 113 %vuxml.Common.attrib; 114> 115 116<!-- 117A one-line description of the vulnerability. 118 119Example. 120 121 <topic>ElGamal sign+encrypt keys created by GnuPG can be 122 compromised</topic> 123--> 124<!ELEMENT %vuxml.topic.qname; ( #PCDATA ) > 125<!ATTLIST %vuxml.topic.qname; %vuxml.Common.attrib; > 126 127<!-- 128The `affects' element contains `package's and `system's that are 129impacted by the vulnerability. Each `package' element specifies the 130package `name's and `range's of versions which are impacted by the 131vulnerability. The `name' element contains a package name without 132version information, but including any suffixes, prefixes, or other 133adornments according to the package system. The `range' element 134contains `lt', `gt', `le', `ge', and/or `eq' attributes as appropriate 135to specify the affected versions. The version ranges given must not 136overlap. 137 138Example. If BIND versions 8.3.x before 8.3.7 and versions 1398.4.x before 8.4.3 are affected: 140 141 <package> 142 <name>bind</name> 143 <range><ge>8.3</ge><lt>8.3.7</lt></range> 144 <range><ge>8.4</ge><lt>8.4.3</lt></range> 145 </package> 146 147Example. The `normal' and `japanese' versions of Mutt 1.5.4 148port revision 1 is affected. 149 150 <package> 151 <name>mutt</name> 152 <name>ja-mutt</name> 153 <range><eq>1.5.4_1</eg></range> 154 </package> 155 156The `system' element is identical to the `package' element, but 157specifies the impacted operating systems and versions instead. 158 159--> 160<!ELEMENT %vuxml.affects.qname; 161 ( %vuxml.package.qname; | 162 %vuxml.system.qname; )+ 163> 164<!ATTLIST %vuxml.affects.qname; %vuxml.Common.attrib; > 165 166<!ELEMENT %vuxml.package.qname; 167 ( ( %vuxml.name.qname; )+, 168 ( %vuxml.range.qname; )+ ) 169> 170<!ATTLIST %vuxml.package.qname; %vuxml.Common.attrib; > 171 172<!ELEMENT %vuxml.system.qname; 173 ( ( %vuxml.name.qname; )+, 174 ( %vuxml.range.qname; )+ ) 175> 176<!ATTLIST %vuxml.system.qname; %vuxml.Common.attrib; > 177 178<!ELEMENT %vuxml.name.qname; ( #PCDATA ) > 179<!ATTLIST %vuxml.name.qname; %vuxml.Common.attrib; > 180 181<!ELEMENT %vuxml.range.qname; 182 ( %vuxml.lt.qname; | 183 %vuxml.le.qname; | 184 %vuxml.eq.qname; | 185 ( %vuxml.gt.qname;, ( %vuxml.lt.qname; | %vuxml.le.qname; )? ) | 186 ( %vuxml.ge.qname;, ( %vuxml.lt.qname; | %vuxml.le.qname; )? ) ) 187> 188<!ATTLIST %vuxml.range.qname; %vuxml.Common.attrib; > 189 190<!ELEMENT %vuxml.lt.qname; ( #PCDATA ) > 191<!ATTLIST %vuxml.lt.qname; %vuxml.Common.attrib; > 192<!ELEMENT %vuxml.le.qname; ( #PCDATA ) > 193<!ATTLIST %vuxml.le.qname; %vuxml.Common.attrib; > 194<!ELEMENT %vuxml.gt.qname; ( #PCDATA ) > 195<!ATTLIST %vuxml.gt.qname; %vuxml.Common.attrib; > 196<!ELEMENT %vuxml.ge.qname; ( #PCDATA ) > 197<!ATTLIST %vuxml.ge.qname; %vuxml.Common.attrib; > 198<!ELEMENT %vuxml.eq.qname; ( #PCDATA ) > 199<!ATTLIST %vuxml.eq.qname; %vuxml.Common.attrib; > 200 201 202<!-- 203The `description' element contains XHTML markup explaining, 204at minimum, the vulnerability and its impact. Also 205encouraged are pre-requisites or specific configurations 206which are affected, and possible workarounds. References 207should not be mentioned here, but in the `references' 208element (see below). 209 210Exactly one XHTML `body' element must be present, and it 211must be valid XHTML Basic 1.0 as given in PUBLIC 212"-//W3C//DTD XHTML Basic 1.0//EN". Additionally, certain 213XHTML constructs are prohibited: <form>s, <param>s, and 214<object>s. 215 216--> 217<!ELEMENT %vuxml.description.qname; ( %body.qname; ) > 218<!ATTLIST %vuxml.description.qname; %vuxml.Common.attrib; > 219 220<!-- 221The `references' element must contain at least one item of 222the following: 223 224 url A URL. This resource type should only be 225 used when none of the others apply. 226 227 cvename The CVE Name from Mitre's Common 228 Vulnerabilities and Exposures project, 229 e.g. <cvename>CAN-2003-0914</cvename>. 230 231 bid A SecurtyFocus.com Bug ID, e.g. 232 <bid>1241</bid>. 233 234 certsa A CERT/CC security advisory, e.g. 235 <certsa>CERT-2003-10</certsa>. 236 237 certvu A CERT/CC vulnerability note, e.g. 238 <certvu>734644</certvu>. 239 240 freebsdsa A FreeBSD security advisory, e.g. 241 <freebsdsa>SA-03:19</freebsdsa>. 242 243As many references as apply are encouraged. 244--> 245<!ELEMENT %vuxml.references.qname; 246 ( %vuxml.url.qname; | 247 %vuxml.cvename.qname; | 248 %vuxml.bid.qname; | 249 %vuxml.certsa.qname;| 250 %vuxml.certvu.qname; | 251 %vuxml.freebsdsa.qname; )+ 252> 253<!ATTLIST %vuxml.references.qname; %vuxml.Common.attrib; > 254 255<!ELEMENT %vuxml.url.qname; ( #PCDATA ) > 256<!ATTLIST %vuxml.url.qname; %vuxml.Common.attrib; > 257 258<!ELEMENT %vuxml.cvename.qname; ( #PCDATA ) > 259<!ATTLIST %vuxml.cvename.qname; %vuxml.Common.attrib; > 260 261<!ELEMENT %vuxml.bid.qname; ( #PCDATA ) > 262<!ATTLIST %vuxml.bid.qname; %vuxml.Common.attrib; > 263 264<!ELEMENT %vuxml.certsa.qname; ( #PCDATA ) > 265<!ATTLIST %vuxml.certsa.qname; %vuxml.Common.attrib; > 266 267<!ELEMENT %vuxml.certvu.qname; ( #PCDATA ) > 268<!ATTLIST %vuxml.certvu.qname; %vuxml.Common.attrib; > 269 270<!ELEMENT %vuxml.freebsdsa.qname; ( #PCDATA ) > 271<!ATTLIST %vuxml.freebsdsa.qname; %vuxml.Common.attrib; > 272 273<!-- 274Dates relevant to the vulnerability are recorded as part of 275the `dates' element: 276 277 discovery Day when first disclosed. 278 entry Day when added to this database. 279 modified Last day any information was changed. 280 281The `discovery' and `entry' elements are mandatory. The 282`modified' entry should only be present if information in 283the entry was changed after the `entry' date. 284 285The date format is YYYY-MM-DD. 286 287Example. A very old vulnerability, first disclosed in 2000, 288is added to the database on December 12, 2003. 289 290 <dates> 291 <discovery>2000-05-23</discovery> 292 <entry>2003-12-12</entry> 293 </dates> 294--> 295<!ELEMENT %vuxml.dates.qname; 296 ( %vuxml.discovery.qname;, 297 %vuxml.entry.qname;, 298 ( %vuxml.modified.qname; )? ) 299> 300<!ATTLIST %vuxml.dates.qname; %vuxml.Common.attrib; > 301 302<!ELEMENT %vuxml.discovery.qname; ( #PCDATA ) > 303<!ATTLIST %vuxml.discovery.qname; %vuxml.Common.attrib; > 304 305<!ELEMENT %vuxml.entry.qname; ( #PCDATA ) > 306<!ATTLIST %vuxml.entry.qname; %vuxml.Common.attrib; > 307 308<!ELEMENT %vuxml.modified.qname; ( #PCDATA ) > 309<!ATTLIST %vuxml.modified.qname; %vuxml.Common.attrib; > 310 311<!ENTITY % xhtml-basic-model.mod 312 PUBLIC "-//W3C//ENTITIES XHTML Basic 1.0 Document Model 1.0//EN" 313 "http://www.w3.org/TR/xhtml-basic/xhtml-basic10-model-1.mod" 314> 315%xhtml-basic-model.mod; 316