[Secure-testing-commits] r14061 - in data: . CVE

[Nico Golde]

Hey,
* Michael Gilbert <michael.s.gilbert at gmail.com> [2010-02-08 22:02]:
> On Mon,  8 Feb 2010 17:48:02 +0000, Moritz Muehlenhoff wrote:
> > Author: jmm-guest
> > Date: 2010-02-08 17:48:00 +0000 (Mon, 08 Feb 2010)
> > New Revision: 14061
> > 
> > Modified:
> >    data/CVE/list
> >    data/embedded-code-copies
> > Log:
> > - bzr code copies fixed
> > - glibc issue not a vulnerability
> > - systemtap issue not in Etch
> [...]
> > CVE-2010-XXXX [samba: remote zero-day vulnerability]
> > -	- samba <unfixed> (high; bug #568493)
> > +	- samba <unfixed> (low; bug #568493)
> 
> from the narrative_introduction, issues for which exploits exist in the
> wild should be considered high urgency.
[...] 
I don't think you can take the narrative introduction exactly this way, its 
not a policy, just a pointer to the general workflow. As we already outlined 
quite a lot, common sense applies to these rankings.

Though I disagree with both of you, this is no high issue as it doesn't affect 
every samba installation and as well it isn't low like /tmp/ races... I think 
medium is pretty appropriate.

Cheers
P.S. I agree, I also don't waste productive time on such discussions (I don't 
have time at the moment as you noticed), but in the end I also don't want a 
security tracker reflecting Debian to be unable to properly rank 
vulnerabilities :) I'd even vote for removing that alltogether, include the 
CVSS score and everyone can rank it for himself on his personal todo list...
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20100208/28fdcdd7/attachment.pgp>