Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: te3d4q@sigaint.org
Cc: debian-security@lists.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 12 Oct 2016 22:38:58 +0200
Message-id: <[🔎] 20161012203858.GA23365@inutil.org>
In-reply-to: <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost>
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost> <[🔎] slrnnvq0pp.grj.jmm@inutil.org> <[🔎] e13649a450ef6829f1f4d38cd6051e8d.webmail@localhost> <[🔎] 20161011210128.GA22554@inutil.org> <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost>

On Wed, Oct 12, 2016 at 10:43:41AM -0000, te3d4q@sigaint.org wrote:
> > We look at the vulnerabilities and make an assessment.
> > Cheers,
> >         Moritz
> >
> 
> 1. If I understood correctly the contents of your reply, on what basis
> does the Debian security team assess the severity of each security
> vulnerability? What are those criteria?

Human judgement based on experience.
 
> 2. Your latest reply implies strongly the possibility of the Debian
> security team's assessments of security vulnerabilities differing from
> those of the security teams of other popular Linux distros such as Gentoo,
> Kali, ArchLinux, Ubuntu, etc. Am I correct?

Of course, every distribution makes their own assessment. After 
all each distro might ship an affected codebase in different 
versions/configs/environments.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org

Prev by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread