On Tue, 15 Feb 2022 08:18:12 +0000 Neil Williams <codehelp@debian.org> wrote: > On Tue, 15 Feb 2022 06:17:39 +0000 > "P T, Sarath" <Sarath_PT@mentor.com> wrote: > > > Hi Salvatore, > > > > I have gone through the repository that you have shared with me and > > I found that the information are coming from "data/CVE/list". Under > > doc/security-team.d.o/security_tracker file I could see the process > > that how the CVEs are manipulated and note preparations an all. But > > can I know what criteria or process how the maintainer is making the > > CVE as "minor" or "medium" ? For your information I am giving below > > example which I have taken from the > > doc/security-team.d.o/security_tracker file. > > > > " If you are not sure about some decision (e.g., which package is > > affected) or triaging (e.g., bug severity) you can leave a TODO note > > for reviewing, explaining which aspect have to be reviewed. For > > example: > > > > CVE-2013-7295 (Tor before 0.2.4.20, when OpenSSL 1.x is used in > > ...) > > - tor 0.2.4.20-1 (low) > > [wheezy] - tor <no-dsa> (Minor issue) > > > " > > Just wanted to know how the maintainer is tagging it as "(Minor > > issue )" in the note session. > Specifically on this example, you snipped the relevant line: TODO: review, severity. The exploitation scenario is too complicated. There are only 4 specific severity levels: unimportant, low, medium, or high and these have guidelines on how each level is assigned: https://security-team.debian.org/security_tracker.html#severity-levels Vulnerabilities entries also have: package-specific tags - <no-dsa>, <unimportant> <unfixed> <undetermined> <not-affected> <itp> (or the version string containing the fix) distributions: [buster] [wheezy] etc. other tags: TODO , NOT-FOR-US , NOTE , RESERVED The specific severity of CVE-2013-7295 in this example is *low*, not medium & there is no "minor" severity level. The TODO note is a request for someone else in the team to review the assessment. "low" was set because, from the perspective of a user with this package installed as-is from the Debian archive & using a standard Debian configuration, the method to exploit the vulnerability is deemed to be too complicated. How the vulnerability could be exploited with any other build or configuration is outside the scope of the Debian Security Tracker. "Minor issue" is a manual triage comment to summarise the affect of the vulnerability on Debian, in this case, as the vulnerability affects the Wheezy release. CVE-2013-7295, from the example, has the <no-dsa> tag for Wheezy - no security upload & announcement will be done by Debian for Wheezy & it has (low) severity (across all suites), it was fixed, in Debian, in the specified version of the package. All triage assessments can be updated by other members of the team and the maintainers of the package in Debian also have input. -- Neil Williams ============= https://linux.codehelp.co.uk/
Attachment:
pgp990rPfqq6H.pgp
Description: OpenPGP digital signature