Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

On Tue, Oct 11, 2016 at 08:04:33PM -, te3...@sigaint.org wrote: > 1. If NVD ratings are meaningless to Debian's security team, how does the > security team prioritize which vulnerability should be fixed first before > others? We look at the vulnerabilities and make an assessment. > 2. Accordi

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

> No, the NVD ratings are entirely meaningless to us. In addition to > security > issues fixed in DSAs, there are also minor security fixes provided via > the jessie point updates. > > Cheers, > Moritz 1. If NVD ratings are meaningless to Debian's security team, how does the security team

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

te3...@sigaint.org schrieb: > I read somewhere on a forum that for security vulnerabilities that have > "NVD security" ratings of medium or low risk, Debian's security team may > not issue patches/fixes for them. Only high-risk security vulnerabilities > will be fixed. Is that correct? No, the NV

Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

I read somewhere on a forum that for security vulnerabilities that have "NVD security" ratings of medium or low risk, Debian's security team may not issue patches/fixes for them. Only high-risk security vulnerabilities will be fixed. Is that correct? I was under the impression that all security vu