diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2005-12-14 09:00:25 +0000 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2005-12-14 09:00:25 +0000 |
| commit | e6d2f5227824139678358e1b0d4a5bf7d369d4c7 (patch) | |
| tree | f97ee78854d2626239c21adcbfefe2f0edc39422 /doc/narrative_introduction | |
| parent | bcb6c5dafcaf54d2bba0285269df1fd39f90eba3 (diff) | |
document reserved, rejected, not-affected and removed
git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@3029 e39458fd-73e7-0310-bf30-c45bca0a0e42
Diffstat (limited to 'doc/narrative_introduction')
| -rw-r--r-- | doc/narrative_introduction | 47 |
1 files changed, 39 insertions, 8 deletions
diff --git a/doc/narrative_introduction b/doc/narrative_introduction index ec2c5653e0..958d6ae287 100644 --- a/doc/narrative_introduction +++ b/doc/narrative_introduction @@ -117,6 +117,25 @@ CVE-2005-3018 (Apple Safari allows remote attackers to cause a denial of service ...) NOT-FOR-US: Safari +Reserved entries +---------------- +Several security problems have coordinated dates of public disclosure, +i.e. a CVE identifier has been assigned to a problem, but it's not +public yet. Also, several vendors have a pool of CVE ids they can +assign to problems that are detected in their products. Such entries +are marked as RESERVED in the tracker: + +CVE-2005-1432 + RESERVED + +Rejected entries +---------------- +Sometimes there are CVE assignments that later turn out to be duplicates, +mistakes or non-issues. These items are reverted and turned into REJECTED +entries: + +CVE-2005-4129 + REJECTED ITP packages ------------ @@ -152,6 +171,24 @@ versions, does not ...) - php4 <unfixed> (bug #353585; medium) - php5 <unfixed> (bug #353585; medium) +If a vulnerability does not affect Debian, e.g. because the vulnerable +code is not contained, it is marked as <not-affected>: + +CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, ...) + - thttpd <not-affected> (Windows-specific vulnerabilities) + +<not-affected> is also used if a vulnerability was fixed before a +package was uploaded into the Debian archive. + +Sometimes there are cases, where a vulnerability hasn't been fixed with +a code change, but simply by deciding that a package is that broken that +it needs to be removed from the archive entirely. This is tracked with +the <removed> tag: + +CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote authenticated ...) + - openwebmail <removed> + + Severity levels --------------- These levels are mostly used to prioritize the order in which security @@ -159,14 +196,14 @@ problems are resolved. Anyway, we have a rough overview on how you should assess these levels: unimportant: This problem does not affect the Debian binary package, e.g. - a vulnerable file, which is not built or a vulnerable file + a vulnerable source file, which is not built or a vulnerable file in doc/foo/examples/ low : A security problem, which has only mild security implications and one would even be comfortable with if it continues to be present medium : A typical, exploitable security problem. high : A typical, exploitable security problem, which you'll really - like to fix and at least implement a workaround. This could + like to fix or at least implement a workaround. This could be because the vulnerable code is very broadly used, because an exploit is in the wild or because the attack vector is very wide. @@ -214,12 +251,6 @@ Drupal has been fixed since 4.5.6, however Drupal from Sarge still isn't vulnerable as the vulnerability is only effective when run under PHP 5, which isn't part of Sarge. -TODO ----- - -Need to document <not-affected>, <removed>, REJECTED, RESERVED - - Generated Reports ----------------- All of this tracking information gets automatically parsed and |