Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
On Wed, Oct 12, 2016 at 10:43:41AM -0000, te3d4q@sigaint.org wrote:
> > We look at the vulnerabilities and make an assessment.
> > Cheers,
> > Moritz
> >
>
> 1. If I understood correctly the contents of your reply, on what basis
> does the Debian security team assess the severity of each security
> vulnerability? What are those criteria?
Human judgement based on experience.
> 2. Your latest reply implies strongly the possibility of the Debian
> security team's assessments of security vulnerabilities differing from
> those of the security teams of other popular Linux distros such as Gentoo,
> Kali, ArchLinux, Ubuntu, etc. Am I correct?
Of course, every distribution makes their own assessment. After
all each distro might ship an affected codebase in different
versions/configs/environments.
Cheers,
Moritz
Reply to: