</para>
<para>
When closing security bugs include CVE numbers as well as the
-<literal>Closes: #<replaceable>nnnnn</replaceable></literal>
+<literal>Closes: #<replaceable>nnnnn</replaceable></literal>.
This is useful for the security team to track vulnerabilities. If an upload is
made to fix the bug before the advisory ID is known, it is encouraged to modify
the historical changelog entry with the next upload. Even in this case, please
<listitem>
<para>
Any fixed packages that you have prepared yourself (send only the
-<literal>.diff.gz</literal> and <literal>.dsc</literal> files and read <xref
+<filename>.diff.gz</filename> and <filename>.dsc</filename> files and read <xref
linkend="bug-security-building"/> first)
</para>
</listitem>