[Secure-testing-team] Security update for fuse
Joey Hess
joeyh at debian.org
Sun Jun 19 17:00:29 UTC 2005
Micah Anderson wrote:
> What about three risk categories: low, medium, high.
>
> Things that go into the high risk category would be things like remote
> root exploits, local root exploits, priviledge escalation to
> super-user, remote/local service crippling via DoS, and sensitive
> information disclosure. Medium risk vulnerabilities that have known
> exploits/proof-of-concepts would be promoted to high-risk.
>
> Medium risk would be vulnerabilities without known
> exploits/proof-of-concepts on LAN-based services (SMB, lpr, NFS, RPC),
> cross-site scripting and priviledge escalation not resulting in root
> priviledges.
>
> Low risk are rare, theoretical exploits that are circumstantial,
> issues affecting code not shipped in binary packages. Non-sensitive
> information disclosure. (Issues that you listed above)
As long as we're using the classificatons to decide what gets priority
to be worked on (or to ignore stuff that is not worth working on ;-), I
thnk that the specifics don't matter very much. If we end up with too
many high priority things spanning too broad a spectrum then we will
naturally shift the boundry between it and medium, or add a fouth level.
We may find it better to start with just two levels, since I think we'd
all be agreed of what goes in high and low then, and we can always add
more later.
--
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050619/4133c71a/attachment.pgp
More information about the Secure-testing-team
mailing list