On Wed, Oct 12, 2016 at 10:43:41AM -0000, te3...@sigaint.org wrote:
1. If I understood correctly the contents of your reply, on what basis
does the Debian security team assess the severity of each security
vulnerability? What are those criteria?
You'll find that there's a lot of criticism of CVSS in the industry, and
that a real CVSS number depends heavily on temporal and environmental
factors which aren't reflected in the NVD baseline. It's not
particularly uncommon for base scores to be overinflated given
configuration specifics, or to understate the importance of
vulnerabilities being actively exploited. Relying soley on base scores
to prioritize actions without considering the environmental or temporal
factors is a mistake per the guidelines on how to use CVSS.
2. Your latest reply implies strongly the possibility of the Debian
security team's assessments of security vulnerabilities differing from
those of the security teams of other popular Linux distros such as Gentoo,
Kali, ArchLinux, Ubuntu, etc. Am I correct?
You'll find that no vendor uses CVSS base scores in NVD to strictly
prioritize their work.
As an example, ArchLinux issues a patch for a security vulnerability
CVE-2016-xyz with an NVD rating of medium risk. However the Debian
security team does not issue a fix for it.
To have an example, you'd need specifics. This is a hypothetical without
a question. If the implicit question is "could this happen" the answer
is yes, but you'd need to discuss a specific case to find out why.