@@ -370,3 +370,28 @@ Here's a patch that has been backported from an upstream commit::
include missing sys/file.h for LOCK_EX
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/ac8db36cbc26694ee94beecc8dca208ec4b5fd45]
+
+CVE patches
+===========
+
+In order to have a better control of vulnerabilities, patches that fix CVEs must
+contain a ``CVE:`` tag. This tag list all CVEs fixed by the patch. If more than
+one CVE is fixed, separate them using spaces.
+
+CVE Examples
+------------
+
+This should be the header of patch that fixes :cve:`2015-8370` in GRUB2::
+
+ grub2: Fix CVE-2015-8370
+
+ [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1286966
+
+ Back to 28; Grub2 Authentication
+
+ Two functions suffer from integer underflow fault; the grub_username_get() and grub_password_get()located in
+ grub-core/normal/auth.c and lib/crypto.c respectively. This can be exploited to obtain a Grub rescue shell.
+
+ Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2]
+ CVE: CVE-2015-8370
+ Signed-off-by: Joe Developer <joe.developer@example.com>