[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Matthias Geerdsen (vorlon)]

vorlon      08/03/13 20:43:45

  Modified:             coordinator_guide.xml
  Log:
  new links to glsacommit and packageview

Revision  Changes    Path
1.20                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.20&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.20&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.19&r2=1.20

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- coordinator_guide.xml	13 Feb 2008 12:28:53 -0000	1.19
+++ coordinator_guide.xml	13 Mar 2008 20:43:44 -0000	1.20
@@ -21,8 +21,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 <license/>
 
-<version>0.8.5</version>
-<date>2008-02-13</date>
+<version>0.8.6</version>
+<date>2008-03-13</date>
 
 <chapter>
 <title>Prerequisites</title>
@@ -1157,7 +1157,7 @@
 <body>
 
 <ul>
-<li><uri link="http://dev.gentoo.org/~koon/packageview/">packageview</uri>
+<li><uri link="http://dev.gentoo.org/~falco/packageview/">packageview</uri>
     is a tool that will open packages.gentoo.org and Gentoo ViewCVS
     at the right place for a given category and package name. It helps to
     determine what keywords are needed and to track changes to a package.</li>
@@ -1170,7 +1170,7 @@
 <body>
 
 <ul>
-<li><uri link="http://dev.gentoo.org/~koon/glsacommit.txt">glsacommit</uri>
+<li><uri link="http://dev.gentoo.org/~falco/glsacommit.txt">glsacommit</uri>
     is a bash function handling GLSA commit. It features ssh-agent keyadding,
     glsa-check conformity doublecheck and has "Are you sure" functions. Edit
     it to suit your needs and directory locations.</li>



-- 
gentoo-commits@lists.gentoo.org mailing list

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Matthias Geerdsen (vorlon)]

vorlon      08/03/13 21:43:57

  Modified:             coordinator_guide.xml
  Log:
  fixing packageview URL, really this time

Revision  Changes    Path
1.21                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.21&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.21&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.20&r2=1.21

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- coordinator_guide.xml	13 Mar 2008 20:43:44 -0000	1.20
+++ coordinator_guide.xml	13 Mar 2008 21:43:56 -0000	1.21
@@ -1157,7 +1157,7 @@
 <body>
 
 <ul>
-<li><uri link="http://dev.gentoo.org/~falco/packageview/">packageview</uri>
+<li><uri link="http://dev.gentoo.org/~vorlon/pv/">packageview</uri>
     is a tool that will open packages.gentoo.org and Gentoo ViewCVS
     at the right place for a given category and package name. It helps to
     determine what keywords are needed and to track changes to a package.</li>



-- 
gentoo-commits@lists.gentoo.org mailing list

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Robert Buchholz (rbu)]

rbu         09/04/14 01:34:21

  Modified:             coordinator_guide.xml
  Log:
  Add reference to SVN, and update how we handle bugs now.

Revision  Changes    Path
1.22                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.22&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.22&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.21&r2=1.22

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- coordinator_guide.xml	13 Mar 2008 21:43:56 -0000	1.21
+++ coordinator_guide.xml	14 Apr 2009 01:34:21 -0000	1.22
@@ -11,6 +11,9 @@
 <author title="Author">
   <mail link="vorlon@gentoo.org">Matthias Geerdsen</mail>
 </author>
+<author title="Author">
+  <mail link="rbu@gentoo.org">Robert Buchholz</mail>
+</author>
 
 <abstract>
 This document contains procedures, tips and tricks applying to the
@@ -21,8 +24,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 <license/>
 
-<version>0.8.6</version>
-<date>2008-03-13</date>
+<version>0.8.7</version>
+<date>2008-04-14</date>
 
 <chapter>
 <title>Prerequisites</title>
@@ -33,9 +36,9 @@
 <p>
 A certain number of accounts must be established before working as a GLSA
 coordinator. To draft GLSAs you must get a
-<uri link="https://dev.gentoo.org/glsamaker/">GLSAMaker</uri> account. To
+<uri link="https://glsamaker.gentoo.org:4433/">GLSAMaker</uri> account. To
 manage security bugs you need to have a
-<uri link="http://bugs.gentoo.org">Bugzilla</uri> account, which will be
+<uri link="https://bugs.gentoo.org">Bugzilla</uri> account, which will be
 upgraded to <c>editbugs</c> privileges. To send GLSA announcements you
 need to have a yourname@gentoo.org address (i.e. to be a Gentoo developer).
 This address should be allowed to send to gentoo-announce.
@@ -58,9 +61,12 @@
 <p>
 You must create a GPG key for your yourname@gentoo.org email address. You
 can either create a specific key or add the gentoo.org address to an
-existing key. The key ID should be sent to devrel, and you should check
+existing key. The key ID should be <uri
+link="/proj/en/infrastructure/ldap.xml">set in the LDAP</uri>, and you
+should check
 that your name and key ID appears on the
-<uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">developer
+<uri
+link="/proj/en/devrel/roll-call/userinfo.xml">developer
 list</uri>. It is very important that the key is published at least on
 the <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri> keyserver.
 It can also be submitted on other keyservers.
@@ -198,11 +204,12 @@
 
 <p>
 Sometimes a bug is communicated to us under the promise we'll keep it secret
-until a public release. Restricted bugs have the "Gentoo Security" checkbox
+until a public release, usually known as the embargo date or coordinated release date.
+Restricted bugs have the "Gentoo Security" checkbox
 checked and therefore can only be accessed by Gentoo Security Team members.
 External people (package maintainer, arch testers, Release Engineering) may be
 added on a per-name basis, aliases should never be used (because they are too
-wide and won't allow bug comments).  
+wide and won't allow bug comments).
 </p>
 
 <p>
@@ -221,7 +228,7 @@
 that contain information that should be kept secret until an agreed-upon
 coordinated release date. No part of the bug (affected package name,
 description, proposed patch or whatever) should ever leak outside the bug.
-Patches should NOT be committed to portage CVS.
+Patches must NOT be committed to portage CVS.
 </p>
 
 <p>
@@ -264,7 +271,7 @@
 </tr>
 <tr>
 <ti>coordinator</ti>
-<ti>The nickname of the coordinator assigned to the bug</ti>
+<ti>The nickname of the coordinator assigned to the bug, optional</ti>
 <ti>koon</ti>
 </tr>
 </table>
@@ -553,7 +560,7 @@
 
 <p>
 Confidential bugs should be following this pattern: "RATING [status]
-coordinator / Release_date CLASSIFIED", where:
+coordinator KEYWORD CRD", where:
 </p>
 
 <table>
@@ -574,18 +581,18 @@
 </tr>
 <tr>
 <ti>coordinator</ti>
-<ti>The nickname of the coordinator assigned to the bug</ti>
+<ti>The nickname of the coordinator assigned to the bug, optional</ti>
 <ti>koon</ti>
 </tr>
 <tr>
-<ti>Release_date</ti>
-<ti>The date of agreed-upon coordinated disclosure</ti>
-<ti>20050106</ti>
+<ti>KEYWORD</ti>
+<ti>The confidentiality level of the bug, can be CLASSIFIED, CONFIDENTIAL, SEMI-PUBLIC</ti>
+<ti>CLASSIFIED</ti>
 </tr>
 <tr>
-<ti>CLASSIFIED</ti>
-<ti>The optional CLASSIFIED flag for classified bugs</ti>
-<ti>CLASSIFIED</ti>
+<ti>CRD</ti>
+<ti>The coordinated release date for the bugs disclosure. If no time is given, assume 14:00 UTC.</ti>
+<ti>2009-01-06 18:00 UTC</ti>
 </tr>
 
 </table>
@@ -602,7 +609,7 @@
 <tr>
 <ti>preebuild</ti>
 <ti>Specific package maintainer has been called to prepare an ebuild which
-    should not be committed in the CVS tree</ti>
+    must not be committed in the CVS tree, but attached to the bug</ti>
 </tr>
 <tr>
 <ti>prestable</ti>
@@ -889,7 +896,7 @@
 maliciously crafted URL or playlist to achieve the same results.</ti>
 </tr>
 <tr>
-<ti>This exploit has two possible impacts. First, it may create new files in 
+<ti>This vulnerability has two possible impacts. First, it may create new files in 
 the user's home directory. Second, and far more serious, it may overwrite 
 existing files that the user has write permissions to. An attacker with some 
 knowledge of a user's home directory might be able to destroy important 
@@ -1098,7 +1105,7 @@
 <body>
 
 <p>
-An errata is published when we made a mistake otherwise it is an
+An erratum is published when we made a mistake otherwise it is an
 update. When policy warrants a republication these guidelines should be followed:
 </p>
 
@@ -1131,14 +1138,13 @@
 
 <p>
   For two complete errata email examples see <uri
-  link="http://archives.gentoo.org/gentoo-announce/msg_02598.xml">ERRATA:
+  link="http://archives.gentoo.org/gentoo-announce/msg_59c7b7e81a7acacb1cbde24ab708f07a.xml">ERRATA:
   [ GLSA 200409-14 ] Samba: Remote printing non-vulnerability</uri>
   (where there were no real vulnerability) and <uri
-  link="http://archives.gentoo.org/gentoo-announce/msg_02502.xml">ERRATA:
-  [ GLSA 200405-25 ] tla: Multiple vulnerabilities in included
-  libneon</uri> (where the problem was not correctly fixed in the
+  link="http://archives.gentoo.org/gentoo-announce/msg_e75f5d493fea7c6f718a850abd59598a.xml">ERRATA: [ GLSA 200801-09 ]
+      X.Org X server and Xfont library: Multiple vulnerabilities</uri> (where the problem was not correctly fixed in the
   initial version). For an update example see <uri
-  link="http://archives.gentoo.org/gentoo-announce/msg_02663.xml">UPDATE:
+  link="http://archives.gentoo.org/gentoo-announce/msg_0f18bca197c64b634db757a18d2ae492.xml">UPDATE:
   [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included
   xpdf</uri> (where the fix introduced another vulnerability).
 </p>
@@ -1178,5 +1184,19 @@
 
 </body>
 </section>
+<section>
+<title>Security Subversion repository</title>
+<body>
+
+<ul>
+<li>The <uri link="http://overlays.gentoo.org/proj/security/timeline">Security Subversion repository</uri>
+contains several tools to collaboratively assess whether we are affected by new CVE identifiers, and
+tools to determine target keywords. Most tools directly interact with Bugzilla, making manual
+copy-pasting unnecessary.
+</li>
+</ul>
+
+</body>
+</section>
 </chapter>
 </guide>

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Robert Buchholz (rbu)]

rbu         09/05/09 15:02:58

  Modified:             coordinator_guide.xml
  Log:
  Correct link to bugtraq as noted by pacmac on IRC.

Revision  Changes    Path
1.23                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.23&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.23&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.22&r2=1.23

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- coordinator_guide.xml	14 Apr 2009 01:34:21 -0000	1.22
+++ coordinator_guide.xml	9 May 2009 15:02:58 -0000	1.23
@@ -24,8 +24,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 <license/>
 
-<version>0.8.7</version>
-<date>2008-04-14</date>
+<version>0.8.8</version>
+<date>2008-05-09</date>
 
 <chapter>
 <title>Prerequisites</title>
@@ -111,7 +111,7 @@
   </tr>
   <tr>
      <ti>bugtraq@securityfocus.com</ti>
-     <ti><uri>http://www.securityfocus.com/subscribe</uri></ti>
+     <ti><uri>http://www.securityfocus.com/archive</uri></ti>
   </tr>
   <tr>
      <ti>full-disclosure@lists.grok.org.uk</ti>

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Tobias Heinlein (keytoaster)]

keytoaster    09/10/01 12:49:26

  Modified:             coordinator_guide.xml
  Log:
  Adding a sentence on STABLEREQ as requested by volkmar and craig, bug 283324

Revision  Changes    Path
1.24                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.24&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.24&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.23&r2=1.24

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- coordinator_guide.xml	9 May 2009 15:02:58 -0000	1.23
+++ coordinator_guide.xml	1 Oct 2009 12:49:25 -0000	1.24
@@ -501,13 +501,14 @@
 <p>
 Once determined (and noted for reference on the bug) the needed KEYWORDS,
 you should Cc: arch teams and ask them to mark the ebuild stable or ~
-accordingly. The arches alias are archname@gentoo.org (x86@gentoo.org,
-ppc@gentoo.org...). All arches (including "unsupported" arches) must be
-called. But note that only "supported" arches (as defined in the policy) are
-needed before the bug can advance to [glsa] status. You should periodically
-check for new keywords in the ebuild, as sometimes they are changed without
-a comment in the bug. As soon as the required KEYWORDS
-are in the bug for all supported arches, the bug enters [glsa] status.
+accordingly. To make sure that the arch teams will pick the bug up, don't forget
+to add "STABLEREQ" to the bug's "Keywords" field. The arches alias are
+archname@gentoo.org (x86@gentoo.org, ppc@gentoo.org...). All arches (including
+"unsupported" arches) must be called. But note that only "supported" arches (as
+defined in the policy) are needed before the bug can advance to [glsa] status
+You should periodically check for new keywords in the ebuild, as sometimes they
+are changed without a comment in the bug. As soon as the required KEYWORDS
+are in the ebuild for all supported arches, the bug enters [glsa] status.
 </p>
 
 <p>

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Alex Legler (a3li)]

a3li        09/10/30 10:31:52

  Modified:             coordinator_guide.xml
  Log:
  Improve wording for ebuild+ status

Revision  Changes    Path
1.25                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.25&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.25&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.24&r2=1.25

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- coordinator_guide.xml	1 Oct 2009 12:49:25 -0000	1.24
+++ coordinator_guide.xml	30 Oct 2009 10:31:52 -0000	1.25
@@ -437,11 +437,11 @@
 </p>
 
 <p>
-If the maintainer doesn't show up, we enter [ebuild+] status. In cases of fix
-version, you should test if a simple version bump (renaming the ebuild to the
-latest version and emerging it) works. In cases of patch, you should test if
-it applies cleanly. Then you should find a security bug wrangler with x86
-commit rights to do the bump and mark the ebuild ~ for testing.
+If the maintainer doesn't show up, we enter [ebuild+] status. In case a fixed
+version is available, you should test if a simple version bump (renaming the 
+ebuild to the version and emerging it) works. If only a patch is available, you
+should test if it applies cleanly. Then you should find a security bug wrangler
+with x86 commit rights to do the bump and mark the ebuild ~ for testing.
 </p>
 
 <p>

[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

[Tobias Heinlein (keytoaster)]

keytoaster    13/03/24 19:15:57

  Modified:             coordinator_guide.xml
  Log:
  Changes to better reflect our current process.

Revision  Changes    Path
1.27                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.27&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.27&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.26&r2=1.27

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- coordinator_guide.xml	15 May 2011 19:38:51 -0000	1.26
+++ coordinator_guide.xml	24 Mar 2013 19:15:57 -0000	1.27
@@ -1,6 +1,6 @@
 <?xml version='1.0' encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<guide link="/security/en/coordinator_guide.xml">
+<guide>
 <title>GLSA Coordinator Guide</title>
 <author title="Author">
   <mail link="koon@gentoo.org">Thierry Carrez</mail>
@@ -27,8 +27,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 <license/>
 
-<version>0.9</version>
-<date>2011-05-15</date>
+<version>0.10</version>
+<date>2012-02-27</date>
 
 <chapter>
 <title>Prerequisites</title>
@@ -688,24 +688,24 @@
 
 <p>
 The title must be short (&lt; 60 characters in most cases) and have the application
-name (not category) in front. It should allow to clearly identify the
-vulnerability, without getting into any details. Version should be left out,
-except in rare cases where it allows to identify the package more clearly.
-Multiple affected packages should be separated by a comma. Examples include:
+name (not category) in front. It should clearly identify the impact, without 
+getting into any details. Version should be left out, except in rare cases where 
+it allows to identify the package more clearly. Multiple affected packages 
+should be separated by a comma. Examples include:
 </p>
 
 <table>
 <tr>
-<ti>MySQL: Insecure temporary file creation</ti>
+<ti>MySQL: Data loss</ti>
 </tr>
 <tr>
-<ti>Exim: verify=header_syntax buffer overflow</ti>
+<ti>Exim: Denial of Service</ti>
 </tr>
 <tr>
-<ti>Apache 1.3: Heap overflow in mod_redirect</ti>
+<ti>Apache 1.3: Arbitrary code execution</ti>
 </tr>
 <tr>
-<ti>MPlayer, xine-lib: Vulnerabilities in RTSP stream handling</ti>
+<ti>MPlayer, xine-lib: Multiple vulnerabilities</ti>
 </tr>
 </table>
 
@@ -786,7 +786,7 @@
 You should use multiple entries for different arches if the version
 description is different from arch to arch.
 The "Auto" field must be set to true if the package is upgradeable
-by emerge. For the version fields, there are multiple cases.
+by emerge. 
 </p>
 
 <impo>
@@ -796,13 +796,15 @@
 </impo>
 
 <p>
+For version fields, there are multiple cases:
+</p>
+
+<p>
 The simple case is when the vulnerability is present in all old versions,
 and is fixed in all versions newer than a specific fix version. In this case,
-you should use "&gt;= first fixed version" as unaffected and "&lt;= last
-affected version" as vulnerable. You should double-check that there was no
-ebuild between the last affected version and the first fixed version. When in
-doubt, you should use "&gt;= first fixed version" as unaffected and "&lt; first
-fix version" as vulnerable.
+you should use "&gt;= first fixed version" as unaffected and "&lt; first
+fixed version" as vulnerable. You should double-check that there was no
+ebuild between the last affected version and the first fixed version.
 </p>
 
 <p>
@@ -828,12 +830,36 @@
 </table>
 
 <p>
+Another complex case is when the vulnerability is present in multiple slots for 
+a package. For example, a package may have versions 1.5.x as SLOT="0" and 
+versions 1.2.x as SLOT="1.2". If a vulnerability exists in 1.5.8 and 1.2.46 and 
+was fixed in 1.5.9 and 1.2.47, the unaffected and vulnerable versions would look 
+like this: 
+</p>
+
+<table>
+<tr>
+<th>Unaffected</th>
+<th>Vulnerable</th>
+</tr>
+<tr>
+<ti>&gt;=1.5.9 *&gt;=1.2.47</ti>
+<ti>&lt;1.5.9</ti>
+</tr>
+</table>
+
+<impo>
+Some slotted packages require that the GLSA's Unaffected packages section be 
+updated when a new version of a slot is released.
+</impo>
+
+<p>
 Finally, when the package has no fixed version, you should omit the
 "Unaffected" entry for that package and set "Auto" to "no".
 </p>
 
 <impo>
-When the fix versions are complex, you should double-check that the XML and
+When the fixed versions are complex, you should double-check that the XML and
 TXT versions of the GLSA list your versions correctly.
 </impo>
 
@@ -903,7 +929,8 @@
 
 <p>
 The Impact section describes the global impact of the vulnerabilities described
-in the Description section, when exploited. It should focus on the maximum risk.
+in the Description section, when exploited. It should focus on the maximum risk. 
+Multiple impacts should be listed from highest to lowest severity.
 Good examples:
 </p>