> Of course, every distribution makes their own assessment. After
> all each distro might ship an affected codebase in different
> versions/configs/environments.
>
> Cheers,
> Moritz
>
Hi Moritz
I appreciate the time and effort that you spent on clarifying my questions.
Thank you.
>
> To have an example, you'd need specifics. This is a hypothetical without
> a question. If the implicit question is "could this happen" the answer
> is yes, but you'd need to discuss a specific case to find out why.
>
> Mike Stone
As you asked me for a specific case, may I bring up CVE-2016-569
> We look at the vulnerabilities and make an assessment.
> Cheers,
> Moritz
>
1. If I understood correctly the contents of your reply, on what basis
does the Debian security team assess the severity of each security
vulnerability? What are those criteria?
2. Your latest reply implies stro
> No, the NVD ratings are entirely meaningless to us. In addition to
> security
> issues fixed in DSAs, there are also minor security fixes provided via
> the jessie point updates.
>
> Cheers,
> Moritz
1. If NVD ratings are meaningless to Debian's security team, how does the
security team
I read somewhere on a forum that for security vulnerabilities that have
"NVD security" ratings of medium or low risk, Debian's security team may
not issue patches/fixes for them. Only high-risk security vulnerabilities
will be fixed. Is that correct?
I was under the impression that all security vu
5 matches
Mail list logo
