Stefan wrote on Tue, 19 Dec 2017 23:39 +0100: > On 19/12/2017 23:35, luke1...@apache.org wrote: > Originally I only intended to unbreak the links in the CVSSv2 section > but then decided to update the documentation to CVSSv3 which we are > using meanwhile.
Ah, thanks! > Since I never calculated the CVSS score for a Subversion vulnerability > before, If you're interested, you could go through the more recent advisories (the security/ directories in the site and in the private repository), read the patches that fixed them, compute a CVSSv2 or CVSSv3 vector based on that (only, without reading the in-advisory analysis), and then compare the one you computed with the one in the advisory. This way, when the next vulnerability is reported, you'd be better able to help compute / review a CVSS vector for it. > maybe someone familiar with the details could verify the > information I changed are accurate? > > In principle I only replaced what was called "Complete" in CVSSv2 to > "High" for CVSSv3 and "Partial" got changed to "Low". As far as the > specification goes, this should be how we handle it for CVSSv3, right? Well, that depends on what the differences between CVSSv2 and CVSSv3 are. I don't remember off the top of my head whether the semantics of "Complete" (resp. "Partial") and "High" (resp. "Low") are equivalent. Cheers, Daniel