[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a question about BTS severities

Herbert Xu wrote:
> Joey Hess <joey@kitenet.net> wrote:
> > Herbert Xu wrote:
> >> 
> >> I disagree.  If a package causes a remote root exploit to be available, even
> >> if it's only in a very specific configuration, I would say that it is critical.
> > No, it's grave. All security bugs are grave, it's part of the definition of
> > that priority. And later in my message, I said:
> Actually, it should be critical if it's a root exploit.  Grave only includes
> those that only comprise the user's account.

Last I checked, root is a user. This is not a formal definition we're
working from, please use common sense. (Note: grave is a _higher_ priotity
than critical. Note also: root exploits tend to turn into user account
exploits as soon as the attacker wants them to.)

see shy jo

Reply to: