Re: [Secure-testing-commits] r7940 - data/CVE
* Thijs Kinkhorst:
>> Do we really want our users in unstable to think that they
>> are affected by a problem while we don't know it?
>
> We know of these issues that at least some Debian release is known to be
> affected. I think it is not good to wait until we have confirmed or
> disfirmed every Debian release until we add some item to a specific
> package. We often have a list of issues for a specific package of which we
> do not know of every suite whether it is affected or not, this can be
> added or updated later.
We also use the potential impact of issues to rate them, and do not
restrict ourselves to the confirmed impact. For instance, a heap-based
buffer overflow is usually deemed to be exploitable for code injection
even if we haven't got a copy of an exploit proving this. From a user
point of view, the misattribution to a non-vulnerable version has a
similar effect.
This might be a questionable policy, but virtually all the vendors who
do disclose security vulnerabilities seem to follow the potential impact
model (one of the latest high-profile converts was Cisco).
Reply to: