[Secure-testing-team] Security update for fuse

[Moritz Muehlenhoff]

Djoume SALVETTI wrote:
> > I'm thinking of some "minor" tag for uncritical tempraces, packages
> > not vulnerable in the Debian package, and generally obscure issues.
> 
> What do you think about two kinds of tags?
> 
> One about severity or "criticality" like what we can find on secunia :

Yes, but we should keep that set of issues small, the Secunia classifications
are too extensive. We won't have the resources to track for each vulnerability
whether it's actively exploited, as Secunia does seem to do.

There are too many unknown variable's on the side of the host running the
vulnerable code. The best way to address severity of more important issues is to
prioritize fixes for these issues in a faster manner.

So maybe we should start with a simple differentiation between
vulnerabilities and minor issues, which may not be optimal from a security
perspective. e.g.:

- issues only exploitable under rare circumstances/stupid setups (e.g. cpio,
  coreutils)
- issues affecting code not shipped in the binary packages (e.g. krb5/278271)
- DoS against applications without security implications (e.g. lynx), except
  that availability has been attacked
- others?

> http://secunia.com/about_secunia_advisories/
> 
> and another one about type of vulnerabilities, the goal would be to
> autobuilt a page like this :

IMO DSAs contain a useful set of issue classifications we should adopt.

Cheers,
        Moritz