Hi, I see, but it doesn't answer the problem of how can someone judge the severity of DSA-X against DSA-Y and say which one is more important?
Yes local factors can take precedence, for example having a local user vs not having local users - note that CVSSv3 takes this into account with the part of authentication. You should note that RedHat, Ubnutu, CentOS, and others provide a severity rating, either based on the NIST NVD, or based on some internal "mechanism" But they provide that information to assist their customers to understand the threat It would be disappointing if this is not done for Debian as well. On Wed, Aug 9, 2017 at 2:33 PM, Moritz Muehlenhoff <j...@debian.org> wrote: > On Wed, Aug 09, 2017 at 02:16:54PM +0300, Noam Rathaus wrote: > > Package: security.debian.org > > > > Currently the Debian OVAL lack (critical) information from the files, > > specifically the severity setting of the patch. > > > > I wanted to ask if it would be possible for the XML files that the script > > you run will include the <severity> rating of the DSA advisory? > > DSA advisories intentionally don't have a severity rating and we're not > planning to add one (since the severity depends strongly on local factors). > > I don't feel comfortable pulling in external CVSS classifications that we > don't have any control over. > > Cheers, > Moritz > -- Thanks, Noam Rathaus Beyond Security PGP Key ID: 2D24B275B1EB4475 (Exp 2018-03)