I see, but it doesn't answer the problem of how can someone judge the
severity of DSA-X against DSA-Y and say which one is more important?

Yes local factors can take precedence, for example having a local user vs
not having local users - note that CVSSv3 takes this into account with the
part of authentication.

You should note that RedHat, Ubnutu, CentOS, and others provide a severity
rating, either based on the NIST NVD, or based on some internal "mechanism"

But they provide that information to assist their customers to understand
the threat

It would be disappointing if this is not done for Debian as well.

On Wed, Aug 9, 2017 at 2:33 PM, Moritz Muehlenhoff <j...@debian.org> wrote:

> On Wed, Aug 09, 2017 at 02:16:54PM +0300, Noam Rathaus wrote:
> > Package: security.debian.org
> >
> > Currently the Debian OVAL lack (critical) information from the files,
> > specifically the severity setting of the patch.
> >
> > I wanted to ask if it would be possible for the XML files that the script
> > you run will include the <severity> rating of the DSA advisory?
> DSA advisories intentionally don't have a severity rating and we're not
> planning to add one (since the severity depends strongly on local factors).
> I don't feel comfortable pulling in external CVSS classifications that we
> don't have any control over.
> Cheers,
>         Moritz


Noam Rathaus
Beyond Security

PGP Key ID: 2D24B275B1EB4475 (Exp 2018-03)

Reply via email to