Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: debian-security@lists.debian.org
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Tue, 11 Oct 2016 17:20:25 +0200
Message-id: <[🔎] slrnnvq0pp.grj.jmm@inutil.org>
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost>

te3d4q@sigaint.org <te3d4q@sigaint.org> schrieb:
> I read somewhere on a forum that for security vulnerabilities that have
> "NVD security" ratings of medium or low risk, Debian's security team may
> not issue patches/fixes for them. Only high-risk security vulnerabilities
> will be fixed. Is that correct?

No, the NVD ratings are entirely meaningless to us. In addition to security
issues fixed in DSAs, there are also minor security fixes provided via
the jessie point updates.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org

Prev by Date: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread