Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: debian-security@lists.debian.org
Cc: "Moritz Muehlenhoff" <jmm@debian.org>
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: te3d4q@sigaint.org
Date: Wed, 12 Oct 2016 10:43:41 -0000
Message-id: <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost>
In-reply-to: <[🔎] 20161011210128.GA22554@inutil.org>
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost> <[🔎] slrnnvq0pp.grj.jmm@inutil.org> <[🔎] e13649a450ef6829f1f4d38cd6051e8d.webmail@localhost> <[🔎] 20161011210128.GA22554@inutil.org>

> We look at the vulnerabilities and make an assessment.
> Cheers,
>         Moritz
>

1. If I understood correctly the contents of your reply, on what basis
does the Debian security team assess the severity of each security
vulnerability? What are those criteria?

2. Your latest reply implies strongly the possibility of the Debian
security team's assessments of security vulnerabilities differing from
those of the security teams of other popular Linux distros such as Gentoo,
Kali, ArchLinux, Ubuntu, etc. Am I correct?

As an example, ArchLinux issues a patch for a security vulnerability
CVE-2016-xyz with an NVD rating of medium risk. However the Debian
security team does not issue a fix for it.

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread