On Wed, Oct 12, 2016 at 10:43:41AM -0000, te3d4q@sigaint.org wrote:
1. If I understood correctly the contents of your reply, on what basis does the Debian security team assess the severity of each security vulnerability? What are those criteria?
You'll find that there's a lot of criticism of CVSS in the industry, and that a real CVSS number depends heavily on temporal and environmental factors which aren't reflected in the NVD baseline. It's not particularly uncommon for base scores to be overinflated given configuration specifics, or to understate the importance of vulnerabilities being actively exploited. Relying soley on base scores to prioritize actions without considering the environmental or temporal factors is a mistake per the guidelines on how to use CVSS.
2. Your latest reply implies strongly the possibility of the Debian security team's assessments of security vulnerabilities differing from those of the security teams of other popular Linux distros such as Gentoo, Kali, ArchLinux, Ubuntu, etc. Am I correct?
You'll find that no vendor uses CVSS base scores in NVD to strictly prioritize their work.
As an example, ArchLinux issues a patch for a security vulnerability CVE-2016-xyz with an NVD rating of medium risk. However the Debian security team does not issue a fix for it.
To have an example, you'd need specifics. This is a hypothetical without a question. If the implicit question is "could this happen" the answer is yes, but you'd need to discuss a specific case to find out why.
Mike Stone