[Secure-testing-commits] r3029 - doc

Moritz Muehlenhoff jmm-guest at costa.debian.org
Wed Dec 14 09:00:25 UTC 2005 

Author: jmm-guest
Date: 2005-12-14 09:00:25 +0000 (Wed, 14 Dec 2005)
New Revision: 3029

Modified:
   doc/narrative_introduction
Log:
document reserved, rejected, not-affected and removed 


Modified: doc/narrative_introduction
===================================================================
--- doc/narrative_introduction	2005-12-13 22:50:59 UTC (rev 3028)
+++ doc/narrative_introduction	2005-12-14 09:00:25 UTC (rev 3029)
@@ -117,7 +117,26 @@
 service ...)
    NOT-FOR-US: Safari
 
+Reserved entries
+----------------
+Several security problems have coordinated dates of public disclosure,
+i.e. a CVE identifier has been assigned to a problem, but it's not
+public yet. Also, several vendors have a pool of CVE ids they can
+assign to problems that are detected in their products. Such entries
+are marked as RESERVED in the tracker:
 
+CVE-2005-1432
+        RESERVED
+
+Rejected entries
+----------------
+Sometimes there are CVE assignments that later turn out to be duplicates,
+mistakes or non-issues. These items are reverted and turned into REJECTED
+entries:
+
+CVE-2005-4129
+        REJECTED
+
 ITP packages
 ------------
 If it is a package that someone has filed an RFP or ITP for, then that
@@ -152,6 +171,24 @@
    - php4 <unfixed> (bug #353585; medium)
    - php5 <unfixed> (bug #353585; medium)
 
+If a vulnerability does not affect Debian, e.g. because the vulnerable
+code is not contained, it is marked as <not-affected>:
+
+CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...)
+        - thttpd <not-affected> (Windows-specific vulnerabilities)
+
+<not-affected> is also used if a vulnerability was fixed before a
+package was uploaded into the Debian archive.
+
+Sometimes there are cases, where a vulnerability hasn't been fixed with
+a code change, but simply by deciding that a package is that broken that
+it needs to be removed from the archive entirely. This is tracked with
+the <removed> tag:
+
+CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...)
+        - openwebmail <removed>
+
+
 Severity levels
 ---------------
 These levels are mostly used to prioritize the order in which security
@@ -159,14 +196,14 @@
 assess these levels:
 
 unimportant: This problem does not affect the Debian binary package, e.g.
-             a vulnerable file, which is not built or a vulnerable file
+             a vulnerable source file, which is not built or a vulnerable file
              in doc/foo/examples/
 low        : A security problem, which has only mild security implications
              and one would even be comfortable with if it continues to
              be present
 medium     : A typical, exploitable security problem.
 high       : A typical, exploitable security problem, which you'll really
-             like to fix and at least implement a workaround. This could
+             like to fix or at least implement a workaround. This could
              be because the vulnerable code is very broadly used, because
              an exploit is in the wild or because the attack vector is
              very wide.
@@ -214,12 +251,6 @@
 vulnerable as the vulnerability is only effective when run under PHP 5,
 which isn't part of Sarge.
 
-TODO
-----
-
-Need to document <not-affected>, <removed>, REJECTED, RESERVED
-
-
 Generated Reports
 -----------------
 All of this tracking information gets automatically parsed and

More information about the Secure-testing-commits mailing list