1<!-- 2Vulnerability and eXposure Markup Language (VuXML) version 1.1. 3 4Namespace = http://www.vuxml.org/apps/vuxml-1 5 6This DTD module is identified by the PUBLIC and SYSTEM identifiers: 7 8PUBLIC "-//vuxml.org//ELEMENTS VuXML 1.1 Document Model//EN" 9SYSTEM "http://www.vuxml.org/dtd/vuxml-1/vuxml-model-11.mod" 10 11Copyright (c) 2004 Jacques A. Vidrine 12All rights reserved. 13 14Redistribution and use in source and binary forms, with or without 15modification, are permitted provided that the following conditions 16are met: 171. Redistributions of source code must retain the above copyright 18 notice, this list of conditions and the following disclaimer. 192. Redistributions in binary form must reproduce the above copyright 20 notice, this list of conditions and the following disclaimer in the 21 documentation and/or other materials provided with the distribution. 22 23THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33SUCH DAMAGE. 34--> 35<!-- 36The current version of VuXML is 1.1. The minor version number 37will be bumped for any non-incompatible changes that are 38made to the document model. Incompatible changes will be 39accompanied by a change in the major version number, as well 40as a change in the XML namespace. 41 42All previous versions of VuXML are valid VuXML 1.1 documents. 43--> 44<!ENTITY % vuxml.version.attrib "version (1.0|1.1) #IMPLIED" > 45 46<!-- namespace support --> 47<!ENTITY % vuxml.xmlns.attrib "%NS.decl.attrib;" > 48<!ENTITY % vuxml.Common.attrib "%vuxml.xmlns.attrib; id ID #IMPLIED" > 49 50<!-- Qualified names --> 51<!ENTITY % vuxml.vuxml.qname "%vuxml.pfx;vuxml" > 52<!ENTITY % vuxml.vuln.qname "%vuxml.pfx;vuln" > 53<!ENTITY % vuxml.cancelled.qname "%vuxml.pfx;cancelled" > 54<!ENTITY % vuxml.topic.qname "%vuxml.pfx;topic" > 55<!ENTITY % vuxml.affects.qname "%vuxml.pfx;affects" > 56<!ENTITY % vuxml.package.qname "%vuxml.pfx;package" > 57<!ENTITY % vuxml.system.qname "%vuxml.pfx;system" > 58<!ENTITY % vuxml.name.qname "%vuxml.pfx;name" > 59<!ENTITY % vuxml.range.qname "%vuxml.pfx;range" > 60<!ENTITY % vuxml.lt.qname "%vuxml.pfx;lt" > 61<!ENTITY % vuxml.le.qname "%vuxml.pfx;le" > 62<!ENTITY % vuxml.gt.qname "%vuxml.pfx;gt" > 63<!ENTITY % vuxml.ge.qname "%vuxml.pfx;ge" > 64<!ENTITY % vuxml.eq.qname "%vuxml.pfx;eq" > 65<!ENTITY % vuxml.description.qname "%vuxml.pfx;description" > 66<!ENTITY % vuxml.references.qname "%vuxml.pfx;references" > 67<!ENTITY % vuxml.url.qname "%vuxml.pfx;url" > 68<!ENTITY % vuxml.cvename.qname "%vuxml.pfx;cvename" > 69<!ENTITY % vuxml.freebsdsa.qname "%vuxml.pfx;freebsdsa" > 70<!ENTITY % vuxml.freebsdpr.qname "%vuxml.pfx;freebsdpr" > 71<!ENTITY % vuxml.bid.qname "%vuxml.pfx;bid" > 72<!ENTITY % vuxml.certsa.qname "%vuxml.pfx;certsa" > 73<!ENTITY % vuxml.certvu.qname "%vuxml.pfx;certvu" > 74<!ENTITY % vuxml.uscertsa.qname "%vuxml.pfx;uscertsa" > 75<!ENTITY % vuxml.uscertta.qname "%vuxml.pfx;uscertta" > 76<!ENTITY % vuxml.mlist.qname "%vuxml.pfx;mlist" > 77<!ENTITY % vuxml.dates.qname "%vuxml.pfx;dates" > 78<!ENTITY % vuxml.discovery.qname "%vuxml.pfx;discovery" > 79<!ENTITY % vuxml.entry.qname "%vuxml.pfx;entry" > 80<!ENTITY % vuxml.modified.qname "%vuxml.pfx;modified" > 81 82 83<!-- Elements and Structure --> 84 85<!-- 86The top level element is the `vuxml' element, 87which contains individual `vuln' entries. The optional 88`version' attribute specifies the document model in use. 89For the current version of VuXML, this should be 90 91 <vuxml version="1.1">...</vuxml> 92--> 93<!ELEMENT %vuxml.vuxml.qname; ( %vuxml.vuln.qname; )* > 94<!ATTLIST %vuxml.vuxml.qname; 95 %vuxml.version.attrib; 96 %vuxml.Common.attrib; 97> 98 99<!-- 100Each `vuln' element represents a single security 101vulnerability and is assigned a UUID as a unique key, which 102is given by the mandatory `vid' attribute in string format. 103 104Example. 105 106 <vuln vid="7cd910e7-327f-11d8-af8b-000a95c4d922"> 107 ... 108 </vuln> 109 110A given `vuln' element may represent either an active issue 111or a cancelled issue. Active `vuln's contain the full set 112of sub-elements (topic, affects, and so on). Cancelled `vuln's 113may contain only a single `cancelled' element. 114 115A `vuln' should be cancelled only when it was issued in error. 116--> 117<!ELEMENT %vuxml.vuln.qname; 118 ( ( %vuxml.topic.qname;, 119 %vuxml.affects.qname;, 120 %vuxml.description.qname;, 121 %vuxml.references.qname;, 122 %vuxml.dates.qname; ) | 123 %vuxml.cancelled.qname; ) 124> 125<!ATTLIST %vuxml.vuln.qname; 126 vid CDATA #REQUIRED 127 %vuxml.Common.attrib; 128> 129 130<!-- 131If a `vuln' is issued in error, it may be cancelled by replacing its 132content with a single `cancelled' element. The optional `superseded' 133attribute with a VuXML ID value may be used to indicate that another 134`vuln' entry replaced this one. 135 136Example. 137 138 <vuln vid="f1d20b27-835f-11d8-a41f-0020ed76ef5a"> 139 <cancelled superseded="1ed556e6-734f-11d8-868e-000347dd607f" /> 140 </vuln> 141--> 142<!ELEMENT %vuxml.cancelled.qname; EMPTY > 143<!ATTLIST %vuxml.cancelled.qname; 144 superseded CDATA #IMPLIED 145 %vuxml.Common.attrib; 146> 147 148<!-- 149A one-line description of the vulnerability. 150 151Example. 152 153 <topic>ElGamal sign+encrypt keys created by GnuPG can be 154 compromised</topic> 155--> 156<!ELEMENT %vuxml.topic.qname; ( #PCDATA ) > 157<!ATTLIST %vuxml.topic.qname; %vuxml.Common.attrib; > 158 159<!-- 160The `affects' element contains `package's and `system's that are 161impacted by the vulnerability. Each `package' element specifies the 162package `name's and `range's of versions which are impacted by the 163vulnerability. The `name' element contains a package name without 164version information, but including any suffixes, prefixes, or other 165adornments according to the package system. The `range' element 166contains `lt', `gt', `le', `ge', and/or `eq' attributes as appropriate 167to specify the affected versions. The version ranges given must not 168overlap. 169 170Example. If BIND versions 8.3.x before 8.3.7 and versions 1718.4.x before 8.4.3 are affected: 172 173 <package> 174 <name>bind</name> 175 <range><ge>8.3</ge><lt>8.3.7</lt></range> 176 <range><ge>8.4</ge><lt>8.4.3</lt></range> 177 </package> 178 179Example. The `normal' and `Japanese' versions of Mutt 1.5.4 180port revision 1 is affected. 181 182 <package> 183 <name>mutt</name> 184 <name>ja-mutt</name> 185 <range><eq>1.5.4_1</eg></range> 186 </package> 187 188The `system' element is identical to the `package' element, but 189specifies the impacted operating systems and versions instead. 190 191--> 192<!ELEMENT %vuxml.affects.qname; 193 ( %vuxml.package.qname; | 194 %vuxml.system.qname; )+ 195> 196<!ATTLIST %vuxml.affects.qname; %vuxml.Common.attrib; > 197 198<!ELEMENT %vuxml.package.qname; 199 ( ( %vuxml.name.qname; )+, 200 ( %vuxml.range.qname; )+ ) 201> 202<!ATTLIST %vuxml.package.qname; %vuxml.Common.attrib; > 203 204<!ELEMENT %vuxml.system.qname; 205 ( ( %vuxml.name.qname; )+, 206 ( %vuxml.range.qname; )+ ) 207> 208<!ATTLIST %vuxml.system.qname; %vuxml.Common.attrib; > 209 210<!ELEMENT %vuxml.name.qname; ( #PCDATA ) > 211<!ATTLIST %vuxml.name.qname; %vuxml.Common.attrib; > 212 213<!ELEMENT %vuxml.range.qname; 214 ( %vuxml.lt.qname; | 215 %vuxml.le.qname; | 216 %vuxml.eq.qname; | 217 ( %vuxml.gt.qname;, ( %vuxml.lt.qname; | %vuxml.le.qname; )? ) | 218 ( %vuxml.ge.qname;, ( %vuxml.lt.qname; | %vuxml.le.qname; )? ) ) 219> 220<!ATTLIST %vuxml.range.qname; %vuxml.Common.attrib; > 221 222<!ELEMENT %vuxml.lt.qname; ( #PCDATA ) > 223<!ATTLIST %vuxml.lt.qname; %vuxml.Common.attrib; > 224<!ELEMENT %vuxml.le.qname; ( #PCDATA ) > 225<!ATTLIST %vuxml.le.qname; %vuxml.Common.attrib; > 226<!ELEMENT %vuxml.gt.qname; ( #PCDATA ) > 227<!ATTLIST %vuxml.gt.qname; %vuxml.Common.attrib; > 228<!ELEMENT %vuxml.ge.qname; ( #PCDATA ) > 229<!ATTLIST %vuxml.ge.qname; %vuxml.Common.attrib; > 230<!ELEMENT %vuxml.eq.qname; ( #PCDATA ) > 231<!ATTLIST %vuxml.eq.qname; %vuxml.Common.attrib; > 232 233 234<!-- 235The `description' element contains XHTML markup explaining, 236at minimum, the vulnerability and its impact. Also 237encouraged are pre-requisites or specific configurations 238which are affected, and possible workarounds. References 239should not be mentioned here, but in the `references' 240element (see below). 241 242Exactly one XHTML `body' element must be present, and it 243must be valid XHTML Basic 1.0 as given in PUBLIC 244"-//W3C//DTD XHTML Basic 1.0//EN". Additionally, certain 245XHTML constructs are prohibited: <form>s, <param>s, and 246<object>s. 247 248--> 249<!ELEMENT %vuxml.description.qname; ( %body.qname; ) > 250<!ATTLIST %vuxml.description.qname; %vuxml.Common.attrib; > 251 252<!-- 253The `references' element must contain at least one item of 254the following: 255 256 url A URL. This resource type should only be 257 used when none of the others apply. 258 259 mlist An archived mailing list posting. The content is a URL, 260 and an optional `msgid' attribute may be supplied, e.g. 261 <mlist msgid="1078427980.4047814c1dfe5@webmail.uu.se">http://lists.netsys.com/pipermail/full-disclosure/2004-March/018290.html</mlist>. 262 263 cvename The CVE Name from MITRE's Common 264 Vulnerabilities and Exposures project, 265 e.g. <cvename>CAN-2003-0914</cvename>. 266 267 bid A SecurityFocus.com Bug ID, e.g. 268 <bid>1241</bid>. 269 270 certsa A US-CERT (formerly CERT/CC) security advisory, e.g. 271 <certsa>CA-2003-10</certsa>. 272 273 certvu A US-CERT (formerly CERT/CC) vulnerability note, e.g. 274 <certvu>734644</certvu>. 275 276 uscertsa A US-CERT Cyber Security Alert, e.g. 277 <uscertsa>SA04-026A</uscertsa>. 278 279 uscertta A US-CERT Technical Cyber Security Alert, e.g. 280 <uscertta>TA04-026A</uscertta>. 281 282 freebsdsa A FreeBSD security advisory, e.g. 283 <freebsdsa>SA-03:19.bind</freebsdsa>. 284 285 freebsdpr A FreeBSD problem report, e.g. 286 <freebsdpr>ports/64777</freebsdpr>. 287 288As many references as apply are encouraged. 289--> 290<!ELEMENT %vuxml.references.qname; 291 ( %vuxml.url.qname; | 292 %vuxml.cvename.qname; | 293 %vuxml.bid.qname; | 294 %vuxml.mlist.qname; | 295 %vuxml.certsa.qname; | 296 %vuxml.certvu.qname; | 297 %vuxml.uscertsa.qname; | 298 %vuxml.uscertta.qname; | 299 %vuxml.freebsdsa.qname; | 300 %vuxml.freebsdpr.qname; )+ 301> 302<!ATTLIST %vuxml.references.qname; %vuxml.Common.attrib; > 303 304<!ELEMENT %vuxml.url.qname; ( #PCDATA ) > 305<!ATTLIST %vuxml.url.qname; %vuxml.Common.attrib; > 306 307<!ELEMENT %vuxml.cvename.qname; ( #PCDATA ) > 308<!ATTLIST %vuxml.cvename.qname; %vuxml.Common.attrib; > 309 310<!ELEMENT %vuxml.mlist.qname; ( #PCDATA ) > 311<!ATTLIST %vuxml.mlist.qname; 312 msgid CDATA #IMPLIED 313 %vuxml.Common.attrib; 314> 315 316<!ELEMENT %vuxml.bid.qname; ( #PCDATA ) > 317<!ATTLIST %vuxml.bid.qname; %vuxml.Common.attrib; > 318 319<!ELEMENT %vuxml.certsa.qname; ( #PCDATA ) > 320<!ATTLIST %vuxml.certsa.qname; %vuxml.Common.attrib; > 321 322<!ELEMENT %vuxml.certvu.qname; ( #PCDATA ) > 323<!ATTLIST %vuxml.certvu.qname; %vuxml.Common.attrib; > 324 325<!ELEMENT %vuxml.uscertsa.qname; ( #PCDATA ) > 326<!ATTLIST %vuxml.uscertsa.qname; %vuxml.Common.attrib; > 327 328<!ELEMENT %vuxml.uscertta.qname; ( #PCDATA ) > 329<!ATTLIST %vuxml.uscertta.qname; %vuxml.Common.attrib; > 330 331<!ELEMENT %vuxml.freebsdsa.qname; ( #PCDATA ) > 332<!ATTLIST %vuxml.freebsdsa.qname; %vuxml.Common.attrib; > 333 334<!ELEMENT %vuxml.freebsdpr.qname; ( #PCDATA ) > 335<!ATTLIST %vuxml.freebsdpr.qname; %vuxml.Common.attrib; > 336 337<!-- 338Dates relevant to the vulnerability are recorded as part of 339the `dates' element: 340 341 discovery Day when first disclosed. 342 entry Day when added to this database. 343 modified Last day any information was changed. 344 345The `discovery' and `entry' elements are mandatory. The 346`modified' entry should only be present if information in 347the entry was changed after the `entry' date. 348 349The date format is YYYY-MM-DD. 350 351Example. A very old vulnerability, first disclosed in 2000, 352is added to the database on December 12, 2003. 353 354 <dates> 355 <discovery>2000-05-23</discovery> 356 <entry>2003-12-12</entry> 357 </dates> 358--> 359<!ELEMENT %vuxml.dates.qname; 360 ( %vuxml.discovery.qname;, 361 %vuxml.entry.qname;, 362 ( %vuxml.modified.qname; )? ) 363> 364<!ATTLIST %vuxml.dates.qname; %vuxml.Common.attrib; > 365 366<!ELEMENT %vuxml.discovery.qname; ( #PCDATA ) > 367<!ATTLIST %vuxml.discovery.qname; %vuxml.Common.attrib; > 368 369<!ELEMENT %vuxml.entry.qname; ( #PCDATA ) > 370<!ATTLIST %vuxml.entry.qname; %vuxml.Common.attrib; > 371 372<!ELEMENT %vuxml.modified.qname; ( #PCDATA ) > 373<!ATTLIST %vuxml.modified.qname; %vuxml.Common.attrib; > 374 375<!ENTITY % xhtml-basic-model.mod 376 PUBLIC "-//W3C//ENTITIES XHTML Basic 1.0 Document Model 1.0//EN" 377 "http://www.w3.org/TR/xhtml-basic/xhtml-basic10-model-1.mod" 378> 379%xhtml-basic-model.mod; 380