On Tue, 15 Feb 2022 06:17:39 +0000 "P T, Sarath" <Sarath_PT@mentor.com> wrote: > Hi Salvatore, > > I have gone through the repository that you have shared with me and I > found that the information are coming from "data/CVE/list". Under > doc/security-team.d.o/security_tracker file I could see the process > that how the CVEs are manipulated and note preparations an all. But > can I know what criteria or process how the maintainer is making the > CVE as "minor" or "medium" ? For your information I am giving below > example which I have taken from the > doc/security-team.d.o/security_tracker file. > > " If you are not sure about some decision (e.g., which package is > affected) or triaging (e.g., bug severity) you can leave a TODO note > for reviewing, explaining which aspect have to be reviewed. For > example: > > CVE-2013-7295 (Tor before 0.2.4.20, when OpenSSL 1.x is used in > ...) > - tor 0.2.4.20-1 (low) > [wheezy] - tor <no-dsa> (Minor issue) > " > Just wanted to know how the maintainer is tagging it as "(Minor issue > )" in the note session. It's not the maintainer (as in upstream or Debian maintainer) doing the tagging, it is a member of the Debian Security Team, using a triage process. https://www.debian.org/intro/organization > Is there any process that we are making to do > like this ? Hope you understood my query and it will be very helpful > if you are clearing this soon. The triage process is an assessment of how each specific vulnerability affects Debian, based on the information available at the time. This includes all of the vulnerabilities marked as NOT-FOR-US - any vulnerability which relates to software not packaged for Debian (or not proposed as being packaged for Debian) is marked as an NFU. Most of the time, nothing ever happens to those vulnerabilities within Debian. (If you run a system with some additions to Debian, you may need to triage every NFU yourself to find ones which are relevant to what has been added, for example.) Triage happens in git and changes update the https://security-tracker.debian.org/tracker/ As the tracker notes: """The data in this tracker comes solely from the bug database maintained by Debian's security team located in the security-tracker Git repository.""" The data in the tracker is specific to Debian and how Debian prioritises which vulnerabilities need to be fixed and with what level of urgency. The notes do not imply anything about how any vulnerability affects systems other than Debian. When a CVE relates to a package, that package will be listed under the CVE and a second assessment is made on how important it is for that CVE to be fixed within Debian, from the perspective of users mainly. A vulnerability which can be remotely exploited on a standard Debian machine will tend to be the highest priority. A vulnerability which only causes a crash of a command line tool - after a valid login has been achieved - is one of the lowest. The tracker is updated when maintainers upload packages containing fixes for specific vulnerabilities. These assessments are all made against the default build of the binaries as provided by Debian. A vulnerability that relies on changing configuration in a non-standard way or rebuilding the binary from source to enable|disable some feature is not considered to be of high priority. There are other points considered for some specific packages, but in general, the notes only refer to how Debian views that vulnerability and how quickly the fix may need to be applied within Debian. Those assessments are made by the Debian Security Team - Debian maintainers have an input after triage is complete. There are also teams who assess how to address the vulnerability in older releases (oldstable & LTS). -- Neil Williams ============= Debian Developer (ex-Mentor|Siemens) https://linux.codehelp.co.uk/
Attachment:
pgp936d5GEXmd.pgp
Description: OpenPGP digital signature