** Note that you must not put embargoed issues into this directory **

Process:

A. Each time Mitre sends out a CVE update

         1. Look though the list for anything that might affect
         a FC package

         2. Add the CVE names to the FC file.  Put a ** to come back
 	to it later.  So for example

 	CVE-1900-1245 ** php, fixed 4.5.9

 	3. Mark it in status.txt too.  And rhel5.txt and
 	status-stacksv1.txt if appropriate.  Again, just a note
 	that you've seen it is enough, it can get properly triaged
 	later.

B. Is FC affected by the CVE name

         1. Did we ship an upstream version that wasn't affected?

         2. Did we ship a backported patch?

 	3. Is it not a real vulnerability?

C. Each time a FC update comes out on fedora-package-announce list

         1. Did the package move to a new upstream version?  if so
         are there any flaws listed for that package as "backported"?
         if so did the new upstream version mean that the backported
         fix is no longer required?  Update the file if so

 	Example
 	CVE-1900-1245 backport (php, fixed 4.5.9) [since FEDORA-1900-1]
 	but php got upgraded now to version 4.6.0, so the line becomes
 	CVE-1900-1245 version (php, fixed 4.5.9) [since FEDORA-1900-9] was backport since FEDORA-1900-1]

         2. Did any new issues get fixed by upstream version or
         backported?  Update the file if so

 	CVE-1900-1245 version (php, fixed 4.5.9) [since FEDORA-1900-1]
 	CVE-1900-1245 backport (php, fixed 4.5.9) [since FEDORA-1900-2] x.patch

         3. Make sure we mark in the file since when it was fixed
         (name the FEDORA update) so we can go back to any point of time

D. Any confusion or things that need more investigation (like when dealing 
with things that say "backport" where you need to make sure if the new 
packages contain the backport or not) just mark as ** for someone to look 
at later.