On Tue, 15 Feb 2022 08:18:12 +0000
Neil Williams <codehelp@debian.org> wrote:
> On Tue, 15 Feb 2022 06:17:39 +0000
> "P T, Sarath" <Sarath_PT@mentor.com> wrote:
>
> > Hi Salvatore,
> >
> > I have gone through the repository that you have shared with me and
> > I found that the information are coming from "data/CVE/list". Under
> > doc/security-team.d.o/security_tracker file I could see the process
> > that how the CVEs are manipulated and note preparations an all. But
> > can I know what criteria or process how the maintainer is making the
> > CVE as "minor" or "medium" ? For your information I am giving below
> > example which I have taken from the
> > doc/security-team.d.o/security_tracker file.
> >
> > " If you are not sure about some decision (e.g., which package is
> > affected) or triaging (e.g., bug severity) you can leave a TODO note
> > for reviewing, explaining which aspect have to be reviewed. For
> > example:
> >
> > CVE-2013-7295 (Tor before 0.2.4.20, when OpenSSL 1.x is used in
> > ...)
> > - tor 0.2.4.20-1 (low)
> > [wheezy] - tor <no-dsa> (Minor issue)
>
> > "
> > Just wanted to know how the maintainer is tagging it as "(Minor
> > issue )" in the note session.
>
Specifically on this example, you snipped the relevant line:
TODO: review, severity. The exploitation scenario is too
complicated.
There are only 4 specific severity levels: unimportant, low, medium, or
high and these have guidelines on how each level is assigned:
https://security-team.debian.org/security_tracker.html#severity-levels
Vulnerabilities entries also have:
package-specific tags - <no-dsa>, <unimportant> <unfixed> <undetermined>
<not-affected> <itp> (or the version string containing the fix)
distributions: [buster] [wheezy] etc.
other tags: TODO , NOT-FOR-US , NOTE , RESERVED
The specific severity of CVE-2013-7295 in this example is *low*, not
medium & there is no "minor" severity level. The TODO note is a request
for someone else in the team to review the assessment. "low" was set
because, from the perspective of a user with this package installed
as-is from the Debian archive & using a standard Debian configuration,
the method to exploit the vulnerability is deemed to be too
complicated. How the vulnerability could be exploited with any other
build or configuration is outside the scope of the Debian Security
Tracker.
"Minor issue" is a manual triage comment to summarise the affect of the
vulnerability on Debian, in this case, as the vulnerability affects the
Wheezy release.
CVE-2013-7295, from the example, has the <no-dsa> tag for Wheezy - no
security upload & announcement will be done by Debian for Wheezy & it
has (low) severity (across all suites), it was fixed, in Debian, in the
specified version of the package.
All triage assessments can be updated by other members of the team and
the maintainers of the package in Debian also have input.
--
Neil Williams
=============
https://linux.codehelp.co.uk/
Attachment:
pgp990rPfqq6H.pgp
Description: OpenPGP digital signature