1<!--
2Vulnerability and eXposure Markup Language (VuXML) version 1.1.
3
4Namespace = http://www.vuxml.org/apps/vuxml-1
5
6This DTD module is identified by the PUBLIC and SYSTEM identifiers:
7
8PUBLIC "-//vuxml.org//ELEMENTS VuXML 1.1 Document Model//EN"
9SYSTEM "http://www.vuxml.org/dtd/vuxml-1/vuxml-model-11.mod"
10
11Copyright (c) 2004 Jacques A. Vidrine
12All rights reserved.
13
14Redistribution and use in source and binary forms, with or without
15modification, are permitted provided that the following conditions
16are met:
171. Redistributions of source code must retain the above copyright
18   notice, this list of conditions and the following disclaimer.
192. Redistributions in binary form must reproduce the above copyright
20   notice, this list of conditions and the following disclaimer in the
21   documentation and/or other materials provided with the distribution.
22
23THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33SUCH DAMAGE.
34-->
35<!--
36The current version of VuXML is 1.1.  The minor version number
37will be bumped for any non-incompatible changes that are
38made to the document model.  Incompatible changes will be
39accompanied by a change in the major version number, as well
40as a change in the XML namespace.
41
42All previous versions of VuXML are valid VuXML 1.1 documents.
43-->
44<!ENTITY % vuxml.version.attrib "version (1.0|1.1) #IMPLIED" >
45
46<!-- namespace support -->
47<!ENTITY % vuxml.xmlns.attrib  "%NS.decl.attrib;" >
48<!ENTITY % vuxml.Common.attrib "%vuxml.xmlns.attrib; id ID #IMPLIED" >
49
50<!-- Qualified names -->
51<!ENTITY % vuxml.vuxml.qname "%vuxml.pfx;vuxml" >
52<!ENTITY % vuxml.vuln.qname "%vuxml.pfx;vuln" >
53<!ENTITY % vuxml.cancelled.qname "%vuxml.pfx;cancelled" >
54<!ENTITY % vuxml.topic.qname "%vuxml.pfx;topic" >
55<!ENTITY % vuxml.affects.qname "%vuxml.pfx;affects" >
56<!ENTITY % vuxml.package.qname "%vuxml.pfx;package" >
57<!ENTITY % vuxml.system.qname "%vuxml.pfx;system" >
58<!ENTITY % vuxml.name.qname "%vuxml.pfx;name" >
59<!ENTITY % vuxml.range.qname "%vuxml.pfx;range" >
60<!ENTITY % vuxml.lt.qname "%vuxml.pfx;lt" >
61<!ENTITY % vuxml.le.qname "%vuxml.pfx;le" >
62<!ENTITY % vuxml.gt.qname "%vuxml.pfx;gt" >
63<!ENTITY % vuxml.ge.qname "%vuxml.pfx;ge" >
64<!ENTITY % vuxml.eq.qname "%vuxml.pfx;eq" >
65<!ENTITY % vuxml.description.qname "%vuxml.pfx;description" >
66<!ENTITY % vuxml.references.qname "%vuxml.pfx;references" >
67<!ENTITY % vuxml.url.qname "%vuxml.pfx;url" >
68<!ENTITY % vuxml.cvename.qname "%vuxml.pfx;cvename" >
69<!ENTITY % vuxml.freebsdsa.qname "%vuxml.pfx;freebsdsa" >
70<!ENTITY % vuxml.freebsdpr.qname "%vuxml.pfx;freebsdpr" >
71<!ENTITY % vuxml.bid.qname "%vuxml.pfx;bid" >
72<!ENTITY % vuxml.certsa.qname "%vuxml.pfx;certsa" >
73<!ENTITY % vuxml.certvu.qname "%vuxml.pfx;certvu" >
74<!ENTITY % vuxml.uscertsa.qname "%vuxml.pfx;uscertsa" >
75<!ENTITY % vuxml.uscertta.qname "%vuxml.pfx;uscertta" >
76<!ENTITY % vuxml.mlist.qname "%vuxml.pfx;mlist" >
77<!ENTITY % vuxml.dates.qname "%vuxml.pfx;dates" >
78<!ENTITY % vuxml.discovery.qname "%vuxml.pfx;discovery" >
79<!ENTITY % vuxml.entry.qname "%vuxml.pfx;entry" >
80<!ENTITY % vuxml.modified.qname "%vuxml.pfx;modified" >
81
82
83<!-- Elements and Structure -->
84
85<!--
86The top level element is the `vuxml' element,
87which contains individual `vuln' entries.  The optional
88`version' attribute specifies the document model in use.
89For the current version of VuXML, this should be
90
91    <vuxml version="1.1">...</vuxml>
92-->
93<!ELEMENT %vuxml.vuxml.qname; ( %vuxml.vuln.qname; )* >
94<!ATTLIST %vuxml.vuxml.qname;
95        %vuxml.version.attrib;
96        %vuxml.Common.attrib;
97>
98
99<!--
100Each `vuln' element represents a single security
101vulnerability and is assigned a UUID as a unique key, which
102is given by the mandatory `vid' attribute in string format.
103
104Example.
105
106    <vuln vid="7cd910e7-327f-11d8-af8b-000a95c4d922">
107      ...
108    </vuln>
109
110A given `vuln' element may represent either an active issue
111or a cancelled issue.  Active `vuln's contain the full set
112of sub-elements (topic, affects, and so on).  Cancelled `vuln's
113may contain only a single `cancelled' element.
114
115A `vuln' should be cancelled only when it was issued in error.
116-->
117<!ELEMENT %vuxml.vuln.qname;
118        ( ( %vuxml.topic.qname;,
119            %vuxml.affects.qname;,
120            %vuxml.description.qname;,
121            %vuxml.references.qname;,
122            %vuxml.dates.qname; ) |
123          %vuxml.cancelled.qname; )
124>
125<!ATTLIST %vuxml.vuln.qname;
126        vid CDATA #REQUIRED
127        %vuxml.Common.attrib;
128>
129
130<!--
131If a `vuln' is issued in error, it may be cancelled by replacing its
132content with a single `cancelled' element.  The optional `superseded'
133attribute with a VuXML ID value may be used to indicate that another
134`vuln' entry replaced this one.
135
136Example.
137
138  <vuln vid="f1d20b27-835f-11d8-a41f-0020ed76ef5a">
139    <cancelled superseded="1ed556e6-734f-11d8-868e-000347dd607f" />
140  </vuln>
141-->
142<!ELEMENT %vuxml.cancelled.qname; EMPTY >
143<!ATTLIST %vuxml.cancelled.qname;
144        superseded CDATA #IMPLIED
145        %vuxml.Common.attrib;
146>
147
148<!--
149A one-line description of the vulnerability.
150
151Example.
152
153    <topic>ElGamal sign+encrypt keys created by GnuPG can be
154      compromised</topic>
155-->
156<!ELEMENT %vuxml.topic.qname; ( #PCDATA ) >
157<!ATTLIST %vuxml.topic.qname; %vuxml.Common.attrib; >
158
159<!--
160The `affects' element contains `package's and `system's that are
161impacted by the vulnerability.  Each `package' element specifies the
162package `name's and `range's of versions which are impacted by the
163vulnerability.  The `name' element contains a package name without
164version information, but including any suffixes, prefixes, or other
165adornments according to the package system.  The `range' element
166contains `lt', `gt', `le', `ge', and/or `eq' attributes as appropriate
167to specify the affected versions.  The version ranges given must not
168overlap.
169
170Example.  If BIND versions 8.3.x before 8.3.7 and versions
1718.4.x before 8.4.3 are affected:
172
173      <package>
174        <name>bind</name>
175        <range><ge>8.3</ge><lt>8.3.7</lt></range>
176        <range><ge>8.4</ge><lt>8.4.3</lt></range>
177      </package>
178
179Example.  The `normal' and `Japanese' versions of Mutt 1.5.4
180port revision 1 is affected.
181
182    <package>
183      <name>mutt</name>
184      <name>ja-mutt</name>
185      <range><eq>1.5.4_1</eg></range>
186    </package>
187
188The `system' element is identical to the `package' element, but
189specifies the impacted operating systems and versions instead.
190
191-->
192<!ELEMENT %vuxml.affects.qname;
193        ( %vuxml.package.qname; |
194          %vuxml.system.qname; )+
195>
196<!ATTLIST %vuxml.affects.qname; %vuxml.Common.attrib; >
197
198<!ELEMENT %vuxml.package.qname;
199        ( ( %vuxml.name.qname; )+,
200          ( %vuxml.range.qname; )+ )
201>
202<!ATTLIST %vuxml.package.qname; %vuxml.Common.attrib; >
203
204<!ELEMENT %vuxml.system.qname;
205        ( ( %vuxml.name.qname; )+,
206          ( %vuxml.range.qname; )+ )
207>
208<!ATTLIST %vuxml.system.qname; %vuxml.Common.attrib; >
209
210<!ELEMENT %vuxml.name.qname; ( #PCDATA ) >
211<!ATTLIST %vuxml.name.qname; %vuxml.Common.attrib; >
212
213<!ELEMENT %vuxml.range.qname;
214        ( %vuxml.lt.qname; |
215          %vuxml.le.qname; |
216          %vuxml.eq.qname; |
217          ( %vuxml.gt.qname;, ( %vuxml.lt.qname; | %vuxml.le.qname; )? ) |
218          ( %vuxml.ge.qname;, ( %vuxml.lt.qname; | %vuxml.le.qname; )? ) )
219>
220<!ATTLIST %vuxml.range.qname; %vuxml.Common.attrib; >
221
222<!ELEMENT %vuxml.lt.qname; ( #PCDATA ) >
223<!ATTLIST %vuxml.lt.qname; %vuxml.Common.attrib; >
224<!ELEMENT %vuxml.le.qname; ( #PCDATA ) >
225<!ATTLIST %vuxml.le.qname; %vuxml.Common.attrib; >
226<!ELEMENT %vuxml.gt.qname; ( #PCDATA ) >
227<!ATTLIST %vuxml.gt.qname; %vuxml.Common.attrib; >
228<!ELEMENT %vuxml.ge.qname; ( #PCDATA ) >
229<!ATTLIST %vuxml.ge.qname; %vuxml.Common.attrib; >
230<!ELEMENT %vuxml.eq.qname; ( #PCDATA ) >
231<!ATTLIST %vuxml.eq.qname; %vuxml.Common.attrib; >
232
233
234<!--
235The `description' element contains XHTML markup explaining,
236at minimum, the vulnerability and its impact.  Also
237encouraged are pre-requisites or specific configurations
238which are affected, and possible workarounds.  References
239should not be mentioned here, but in the `references'
240element (see below).
241
242Exactly one XHTML `body' element must be present, and it
243must be valid XHTML Basic 1.0 as given in PUBLIC
244"-//W3C//DTD XHTML Basic 1.0//EN".  Additionally, certain
245XHTML constructs are prohibited: <form>s, <param>s, and
246<object>s.
247
248-->
249<!ELEMENT %vuxml.description.qname; ( %body.qname; ) >
250<!ATTLIST %vuxml.description.qname; %vuxml.Common.attrib; >
251
252<!--
253The `references' element must contain at least one item of
254the following:
255
256  url           A URL.  This resource type should only be
257                used when none of the others apply.
258
259  mlist         An archived mailing list posting.  The content is a URL,
260                and an optional `msgid' attribute may be supplied, e.g.
261                <mlist msgid="1078427980.4047814c1dfe5@webmail.uu.se">http://lists.netsys.com/pipermail/full-disclosure/2004-March/018290.html</mlist>.
262
263  cvename       The CVE Name from MITRE's Common
264                Vulnerabilities and Exposures project,
265                e.g. <cvename>CAN-2003-0914</cvename>.
266
267  bid           A SecurityFocus.com Bug ID, e.g.
268                <bid>1241</bid>.
269
270  certsa        A US-CERT (formerly CERT/CC) security advisory, e.g.
271                <certsa>CA-2003-10</certsa>.
272
273  certvu        A US-CERT (formerly CERT/CC) vulnerability note, e.g.
274                <certvu>734644</certvu>.
275
276  uscertsa      A US-CERT Cyber Security Alert, e.g.
277                <uscertsa>SA04-026A</uscertsa>.
278
279  uscertta      A US-CERT Technical Cyber Security Alert, e.g.
280                <uscertta>TA04-026A</uscertta>.
281
282  freebsdsa     A FreeBSD security advisory, e.g.
283                <freebsdsa>SA-03:19.bind</freebsdsa>.
284
285  freebsdpr     A FreeBSD problem report, e.g.
286                <freebsdpr>ports/64777</freebsdpr>.
287
288As many references as apply are encouraged.
289-->
290<!ELEMENT %vuxml.references.qname;
291        ( %vuxml.url.qname; |
292          %vuxml.cvename.qname; |
293          %vuxml.bid.qname; |
294          %vuxml.mlist.qname; |
295          %vuxml.certsa.qname; |
296          %vuxml.certvu.qname; |
297          %vuxml.uscertsa.qname; |
298          %vuxml.uscertta.qname; |
299          %vuxml.freebsdsa.qname; |
300          %vuxml.freebsdpr.qname; )+
301>
302<!ATTLIST %vuxml.references.qname; %vuxml.Common.attrib; >
303
304<!ELEMENT %vuxml.url.qname; ( #PCDATA ) >
305<!ATTLIST %vuxml.url.qname; %vuxml.Common.attrib; >
306
307<!ELEMENT %vuxml.cvename.qname; ( #PCDATA ) >
308<!ATTLIST %vuxml.cvename.qname; %vuxml.Common.attrib; >
309
310<!ELEMENT %vuxml.mlist.qname; ( #PCDATA ) >
311<!ATTLIST %vuxml.mlist.qname;
312        msgid CDATA #IMPLIED
313        %vuxml.Common.attrib;
314>
315
316<!ELEMENT %vuxml.bid.qname; ( #PCDATA ) >
317<!ATTLIST %vuxml.bid.qname; %vuxml.Common.attrib; >
318
319<!ELEMENT %vuxml.certsa.qname; ( #PCDATA ) >
320<!ATTLIST %vuxml.certsa.qname; %vuxml.Common.attrib; >
321
322<!ELEMENT %vuxml.certvu.qname; ( #PCDATA ) >
323<!ATTLIST %vuxml.certvu.qname; %vuxml.Common.attrib; >
324
325<!ELEMENT %vuxml.uscertsa.qname; ( #PCDATA ) >
326<!ATTLIST %vuxml.uscertsa.qname; %vuxml.Common.attrib; >
327
328<!ELEMENT %vuxml.uscertta.qname; ( #PCDATA ) >
329<!ATTLIST %vuxml.uscertta.qname; %vuxml.Common.attrib; >
330
331<!ELEMENT %vuxml.freebsdsa.qname; ( #PCDATA ) >
332<!ATTLIST %vuxml.freebsdsa.qname; %vuxml.Common.attrib; >
333
334<!ELEMENT %vuxml.freebsdpr.qname; ( #PCDATA ) >
335<!ATTLIST %vuxml.freebsdpr.qname; %vuxml.Common.attrib; >
336
337<!--
338Dates relevant to the vulnerability are recorded as part of
339the `dates' element:
340
341    discovery  Day when first disclosed.
342    entry      Day when added to this database.
343    modified   Last day any information was changed.
344
345The `discovery' and `entry' elements are mandatory.  The
346`modified' entry should only be present if information in
347the entry was changed after the `entry' date.
348
349The date format is YYYY-MM-DD.
350
351Example.  A very old vulnerability, first disclosed in 2000,
352is added to the database on December 12, 2003.
353
354    <dates>
355      <discovery>2000-05-23</discovery>
356      <entry>2003-12-12</entry>
357    </dates>
358-->
359<!ELEMENT %vuxml.dates.qname;
360        ( %vuxml.discovery.qname;,
361          %vuxml.entry.qname;,
362          ( %vuxml.modified.qname; )? )
363>
364<!ATTLIST %vuxml.dates.qname; %vuxml.Common.attrib; >
365
366<!ELEMENT %vuxml.discovery.qname; ( #PCDATA ) >
367<!ATTLIST %vuxml.discovery.qname; %vuxml.Common.attrib; >
368
369<!ELEMENT %vuxml.entry.qname; ( #PCDATA ) >
370<!ATTLIST %vuxml.entry.qname; %vuxml.Common.attrib; >
371
372<!ELEMENT %vuxml.modified.qname; ( #PCDATA ) >
373<!ATTLIST %vuxml.modified.qname; %vuxml.Common.attrib; >
374
375<!ENTITY % xhtml-basic-model.mod
376        PUBLIC "-//W3C//ENTITIES XHTML Basic 1.0 Document Model 1.0//EN"
377        "http://www.w3.org/TR/xhtml-basic/xhtml-basic10-model-1.mod"
378>
379%xhtml-basic-model.mod;
380