[pkg-firebird-general] Bug#362001: [security] Insecure semaphore
permissions
Steve Langasek
vorlon at debian.org
Wed Apr 12 15:31:27 UTC 2006
On Wed, Apr 12, 2006 at 08:24:59AM +0200, Florian Weimer wrote:
> * Steve Langasek:
> > A DoS does not normally qualify as a severity: grave security bug.
> Why the sudden change in policy?
> So far, only user-initiated denial-of-service conditions (e.g. editor
> crashes when opening certain files) were not considered grave bugs.
Hrm, it wasn't my understanding that this is a change in policy. According
to <http://www.debian.org/Bugs/Developer#severities>, the severities for
security bugs are:
critical: introduces a security hole on systems where you install the
package
grave: introduces a security hole allowing access to the accounts of users
who use the package
... important: most other stuff
and I understood that these severities followed from the Security Team's
policies regarding stable updates, which I was trying to honor with my
adjusting of this bug. If DoS bugs are being treated as grounds for issuing
DSAs, I'm fine with re-raising the severity on bugs like that; I just don't
want security bugs marked as "grave" if they don't qualify for security
updates in stable.
You can argue, depending on the type of service, that a remote DoS makes a
package unusable. That doesn't seem to apply to a database server that is
unlikely to be on the public Internet, though.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20060412/63b28ec5/attachment.pgp
More information about the pkg-firebird-general
mailing list