[Secure-testing-team] Some notes on data commits

Sat Jan 13 18:38:09 CET 2007

* Alex de Oliveira Silva:

> Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"?

No, I don't think so.  For instance, CVE-2006-6235 gets a full 10.0 by
NVD, and according to our standards, it's "medium".

> Do you wait for the avaliation of the mantainer to change the severity
> afterwards or do you only look in description of the bug?
> How can I analize the severitys correctly?  

The general rules are, as far as I'm concerned:

  - "high" for anything that permits an attacker to execute arbitrary
    code on the vulnerable system (with or without root
    privileges[1]).  High-impact denial-of-service bugs should be put
    into that category, too (for instance, an IPv4 forwarding path
    vulnerability which requires only very few packets to exploit).

    Significant defects in security software can be rated "high" as
    well (for instance, a vulnerability in a piece of cryptographic
    software which flags forged digital signatures as genuine).

  - "medium" for anything which permits code execution after user
    interaction.  Local privilege escalation vulnerabilities are in
    this category as well, or remote privilege escalation if it's
    constrained to the application (i.e. no shell access to the
    underlying system, such as simple cross-site scripting).  Most
    remote DoS vulnerabilities fall into this category, too.

  - "low" is intended for local DoS, /tmp file races and so on.

  - "unimportant" are PHP Safe mode bugs, path disclosure (doesn't
    matter on Debian), and issues for which we only ship vulnerable
    source code which isn't compiled into the package.

Certain packages may get higher or lower rating than usual, based on
their importance.

[1] Given the ubiquity of privilege escalation vulnerabilities, it
    doesn't make much sense to differentiate between root and
    non-root.