[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

On Tue, Oct 11, 2016 at 08:04:33PM -0000, te3d4q@sigaint.org wrote:
> 1. If NVD ratings are meaningless to Debian's security team, how does the
> security team prioritize which vulnerability should be fixed first before
> others?

We look at the vulnerabilities and make an assessment.

> 2. According to https://www.debian.org/security/, it states:
> 
> "Debian also participates in security standardization efforts: the Debian
> Security Advisories are CVE-Compatible (review the cross references) and
> Debian is represented in the Board of the Open Vulnerability Assessment
> Language project."
> 
> If Debian Security Advisories are CVE-compatible, it means that the former
> accept the NVD ratings included in CVEs, yes?

We use CVE IDs for mapping vulnerabilities. NVD ratings have about the same
influence to our work as moon phases.

Cheers,
        Moritz
Reply to: