Author: jmm-guest
Date: 2005-12-14 09:00:25 +0000 (Wed, 14 Dec 2005)
New Revision: 3029
Modified:
doc/narrative_introduction
Log:
document reserved, rejected, not-affected and removed
Modified: doc/narrative_introduction
==================================================================---
doc/narrative_introduction 2005-12-13 22:50:59 UTC (rev 3028)
+++ doc/narrative_introduction 2005-12-14 09:00:25 UTC (rev 3029)
@@ -117,7 +117,26 @@
service ...)
NOT-FOR-US: Safari
+Reserved entries
+----------------
+Several security problems have coordinated dates of public disclosure,
+i.e. a CVE identifier has been assigned to a problem, but it''s not
+public yet. Also, several vendors have a pool of CVE ids they can
+assign to problems that are detected in their products. Such entries
+are marked as RESERVED in the tracker:
+CVE-2005-1432
+ RESERVED
+
+Rejected entries
+----------------
+Sometimes there are CVE assignments that later turn out to be duplicates,
+mistakes or non-issues. These items are reverted and turned into REJECTED
+entries:
+
+CVE-2005-4129
+ REJECTED
+
ITP packages
------------
If it is a package that someone has filed an RFP or ITP for, then that
@@ -152,6 +171,24 @@
- php4 <unfixed> (bug #353585; medium)
- php5 <unfixed> (bug #353585; medium)
+If a vulnerability does not affect Debian, e.g. because the vulnerable
+code is not contained, it is marked as <not-affected>:
+
+CVE-2004-2628 (Multiple directory traversal vulnerabilities in thttpd 2.07 beta
0.4, ...)
+ - thttpd <not-affected> (Windows-specific vulnerabilities)
+
+<not-affected> is also used if a vulnerability was fixed before a
+package was uploaded into the Debian archive.
+
+Sometimes there are cases, where a vulnerability hasn''t been fixed
with
+a code change, but simply by deciding that a package is that broken that
+it needs to be removed from the archive entirely. This is tracked with
+the <removed> tag:
+
+CVE-2005-1435 (Open WebMail (OWM) before 2.51 20050430 allows remote
authenticated ...)
+ - openwebmail <removed>
+
+
Severity levels
---------------
These levels are mostly used to prioritize the order in which security
@@ -159,14 +196,14 @@
assess these levels:
unimportant: This problem does not affect the Debian binary package, e.g.
- a vulnerable file, which is not built or a vulnerable file
+ a vulnerable source file, which is not built or a vulnerable file
in doc/foo/examples/
low : A security problem, which has only mild security implications
and one would even be comfortable with if it continues to
be present
medium : A typical, exploitable security problem.
high : A typical, exploitable security problem, which you''ll
really
- like to fix and at least implement a workaround. This could
+ like to fix or at least implement a workaround. This could
be because the vulnerable code is very broadly used, because
an exploit is in the wild or because the attack vector is
very wide.
@@ -214,12 +251,6 @@
vulnerable as the vulnerability is only effective when run under PHP 5,
which isn''t part of Sarge.
-TODO
-----
-
-Need to document <not-affected>, <removed>, REJECTED, RESERVED
-
-
Generated Reports
-----------------
All of this tracking information gets automatically parsed and