[Secure-testing-team] Security update for fuse
Joey Hess
joeyh at debian.org
Sun Jun 19 16:30:31 UTC 2005
Moritz Muehlenhoff wrote:
> Yes, but we should keep that set of issues small, the Secunia classifications
> are too extensive. We won't have the resources to track for each vulnerability
> whether it's actively exploited, as Secunia does seem to do.
>
> There are too many unknown variable's on the side of the host running the
> vulnerable code. The best way to address severity of more important issues is to
> prioritize fixes for these issues in a faster manner.
>
> So maybe we should start with a simple differentiation between
> vulnerabilities and minor issues, which may not be optimal from a security
> perspective. e.g.:
>
> - issues only exploitable under rare circumstances/stupid setups (e.g. cpio,
> coreutils)
> - issues affecting code not shipped in the binary packages (e.g. krb5/278271)
> - DoS against applications without security implications (e.g. lynx), except
> that availability has been attacked
> - others?
I agree that we should KISS and bear in mind that we're only using it to
prioritise our work.
> > http://secunia.com/about_secunia_advisories/
> >
> > and another one about type of vulnerabilities, the goal would be to
> > autobuilt a page like this :
>
> IMO DSAs contain a useful set of issue classifications we should adopt.
We'd certianly want to use those in DTSAs.
--
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050619/b967350d/attachment.pgp
More information about the Secure-testing-team
mailing list