Why not using CVSS as a base calculation for assigning severity levels?
IIRC, something like:
CVSS>=8 => High
4<=CVSS<8 => Medium
CVSS<4 => Low
was a good guidance in my previous job.
FYI, I've attached the table that drove us to these score.
Cyrille
Le mercredi 10 avril 2024 à 23:30 +0200, O
FTR,
I did a small analysis, and that's for sure that CVE-2019-12214 relates
to code from openjpeg: Looking at the content of folder "LibOpenJpeg"
in freeimage 'source code show exactly the same files as in
https://github.com/uclouvain/openjpeg/tree/master/src/lib/openjp2
However, since freeimage
or this CVE it would be nice. I
> started
> but realized that I had more questions and then it is better if you
> do
> it who knows the answer.
>
> No hurry since this is for a postponed issue.
>
> Cheers
>
> // Ola
>
> On Fri, 12 Apr 2024 at 09:15, Cyril
24 à 12:00 +0200, Ola Lundqvist a écrit :
> Hi Cyrille
>
> See below.
>
> On Fri, 12 Apr 2024 at 10:44, Cyrille Bollu wrote:
> >
> >
> > > Thank you! Do you mean that freeimage copy in those files during
> > > the
> > >
ve sent ot NIST.
Best regards,
Cyrille
>Message-ID: <981f8fc77d9e0fee8399a19e6e4c9c64ceeea9a7.ca...@bollu.be>
>Subject: CVE-2019-12214: missing vulnerable configuration
>From: Cyrille Bollu
>To: cpe_diction...@nist.gov
>Date: Sun, 14 Apr 2024 12:01:43 +0200
>Content-Typ
gt;
> Thank you,
>
> El 14/04/24 a las 13:39, Ola Lundqvist escribió:
> > Hi Cyrille
> >
> > Thank you very much.
> >
> > I'll update the security tracker accordingly.
> >
> > // Ola
> >
> > On Sun, 14 Apr 2024 at 12:24, C
Hi Santiago,
>It is not a question of trust. It is a problem of lack of strong
>evidence that the issue is no longer there in freeimage or openjepg2.
>We cannot rely only on CVE description to track the issues.
I think you'd be right to not trust my analysis too lightly since it's
my first contri
Hi Santiago,
Here's some follow up :-)
Best regards,
Cyrille
Le mardi 16 avril 2024 à 12:52 -0300, Santiago Ruano Rincón a écrit :
> Hi Cyrille,
>
> El 16/04/24 a las 16:09, Cyrille Bollu escribió:
> > Hi Santiago,
> >
> > > It is not a question of trust
Le vendredi 26 avril 2024 à 12:50 -0300, Santiago Ruano Rincón a
écrit :
> Hi Cyrille!
>
> El 25/04/24 a las 15:00, Cyrille Bollu escribió:
> > Hi Santiago,
> >
> > Here's some follow up :-)
> >
> > Best regards,
> >
> > Cyrille
>
