[Secure-testing-team] Security update for fuse

Micah Anderson micah at riseup.net
Sun Jun 19 15:23:06 UTC 2005 

Moritz Muehlenhoff schrieb am Saturday, den 18. June 2005:

> Djoume SALVETTI wrote:
> > > I'm thinking of some "minor" tag for uncritical tempraces, packages
> > > not vulnerable in the Debian package, and generally obscure issues.
> > 
> > What do you think about two kinds of tags?
> > 
> > One about severity or "criticality" like what we can find on secunia :
> 
> Yes, but we should keep that set of issues small, the Secunia classifications
> are too extensive. We won't have the resources to track for each vulnerability
> whether it's actively exploited, as Secunia does seem to do.

I agree, I think that our classifications should be simple, perhaps
only three different categories.

> So maybe we should start with a simple differentiation between
> vulnerabilities and minor issues, which may not be optimal from a security
> perspective. e.g.:
> 
> - issues only exploitable under rare circumstances/stupid setups (e.g. cpio,
>   coreutils)
> - issues affecting code not shipped in the binary packages (e.g. krb5/278271)
> - DoS against applications without security implications (e.g. lynx), except
>   that availability has been attacked
> - others?

Would these all be minor issues? 

I think that we'd have to be careful about DoS' because any
vulnerability that can cause a service interruption should be viewed
as minor only with qualifications.

What about three risk categories: low, medium, high. 

Things that go into the high risk category would be things like remote
root exploits, local root exploits, priviledge escalation to
super-user, remote/local service crippling via DoS, and sensitive
information disclosure. Medium risk vulnerabilities that have known
exploits/proof-of-concepts would be promoted to high-risk.

Medium risk would be vulnerabilities without known
exploits/proof-of-concepts on LAN-based services (SMB, lpr, NFS, RPC),
cross-site scripting and priviledge escalation not resulting in root
priviledges.

Low risk are rare, theoretical exploits that are circumstantial,
issues affecting code not shipped in binary packages. Non-sensitive
information disclosure. (Issues that you listed above)

Micah

More information about the Secure-testing-team mailing list