[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Secure-testing-commits] r7940 - data/CVE

* Thijs Kinkhorst:

>> Do we really want our users in unstable to think that they
>> are affected by a problem while we don't know it?
>
> We know of these issues that at least some Debian release is known to be
> affected. I think it is not good to wait until we have confirmed or
> disfirmed every Debian release until we add some item to a specific
> package. We often have a list of issues for a specific package of which we
> do not know of every suite whether it is affected or not, this can be
> added or updated later.

We also use the potential impact of issues to rate them, and do not
restrict ourselves to the confirmed impact.  For instance, a heap-based
buffer overflow is usually deemed to be exploitable for code injection
even if we haven't got a copy of an exploit proving this.  From a user
point of view, the misattribution to a non-vulnerable version has a
similar effect.

This might be a questionable policy, but virtually all the vendors who
do disclose security vulnerabilities seem to follow the potential impact
model (one of the latest high-profile converts was Cisco).
Reply to: