severity 887751 serious thanks Hello Guido,
ok, that does make sense, to have at least a RC severity to keep the bad/affected version out of testing. If your severity upgrading email would have contained this reasoning I would wouldn't have downgraded it :) "grave" is too high though as this security issue has a DoS impact and not a access/privilege one. For the RC part to work "serious" is adequate though. Thanks for the clarification. Best regards, Mirco (meebey) Bauer FOSS Hacker mee...@meebey.net https://www.meebey.net/ Debian Developer mee...@debian.org http://www.debian.org/ GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/ CTO @ Gatecoin Ltd. mi...@gatecoin.com https://gatecoin.com/ .NET Foundation Advisory Council Member http://www.dotnetfoundation.org/ PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc On Tue, Jan 23, 2018 at 2:37 PM, Guido Günther <a...@sigxcpu.org> wrote: > Hi Mirco, > On Tue, Jan 23, 2018 at 01:37:51PM +0800, Mirco Bauer wrote: > > severity 887751 important > > thanks > > > > Hello Guido, > > > > thank you for the report. > > > > CVE-2018-2585 has been rated by the Debian security as a minor issue > [0]. > > You have bumped the severity from important to grave without an > > explanation. > > It only went in as important because I messed up the original report, > sorry about that. > > > Is there something you want to share? > > I marked it as no-dsa in the security tracker because I don't see a > sensible way to fix this in stable / oldstable (given Oracle's update > policy) and due to the affected reverse dependencies we currently have > in these releases. But deem the issue it important enough to not let the > package slip into a stable release again "accidentally". Does this make > sense? > > Cheers, > -- Guido > > > [0]: [1]https://security-tracker.debian.org/tracker/CVE-2018-2585 > > Best regards, > > > > Mirco (meebey) Bauer > > > > FOSS Hacker [2]mee...@meebey.net [3]htt > ps://www.meebey.net/ > > Debian Developer [4]mee...@debian.org [5]http > ://www.debian.org/ > > GNOME Foundation Member [6]mmmba...@gnome.org [7] > http://www.gnome.org/ > > CTO @ Gatecoin Ltd. [8]mi...@gatecoin.com [9]htt > ps://gatecoin.com/ > > .NET Foundation Advisory Council Member > > [10]http://www.dotnetfoundation.org/ > > PGP-Key ID 0x7127E5ABEEF946C8 > > [11]https://meebey.net/pubkey.asc > > On Sat, Jan 20, 2018 at 12:38 AM, Guido Günther <[12]a...@sigxcpu.org> > > wrote: > > > > Package: mysql-connector-net > > X-Debbugs-CC: [13]t...@security.debian.org > > [14]secure-testing-t...@lists.alioth.debian.org > > Severity: important > > Tags: grave > > Version: 6.4.3-2 > > > > Hi, > > > > the following vulnerability was published for mysql-connector-net. > > > > CVE-2018-2585[0]: > > | Vulnerability in the MySQL Connectors component of Oracle MySQL > > | (subcomponent: Connector/Net). Supported versions that are > affected > > | are 6.9.9 and prior and 6.10.4 and prior. Easily exploitable > > | vulnerability allows unauthenticated attacker with network access > via > > | multiple protocols to compromise MySQL Connectors. Successful > attacks > > | of this vulnerability can result in unauthorized ability to cause > a > > | hang or frequently repeatable crash (complete DOS) of MySQL > > | Connectors. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS > > | Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] [15]https://security-tracker.debian.org/tracker/CVE-2018-2585 > > [16]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018- > 2585 > > > > Please adjust the affected versions in the BTS as needed. > > > > _______________________________________________ > > pkg-cli-libs-team mailing list > > [17]pkg-cli-libs-t...@lists.alioth.debian.org > > [18]http://lists.alioth.debian.org/cgi-bin/mailman/ > listinfo/pkg-cli-libs-team > > > > References > > > > Visible links > > 1. https://security-tracker.debian.org/tracker/CVE-2018-2585 > > 2. mailto:mee...@meebey.net > > 3. https://www.meebey.net/ > > 4. mailto:mee...@debian.org > > 5. http://www.debian.org/ > > 6. mailto:mmmba...@gnome.org > > 7. http://www.gnome.org/ > > 8. mailto:mi...@gatecoin.com > > 9. https://gatecoin.com/ > > 10. http://www.dotnetfoundation.org/ > > 11. https://meebey.net/pubkey.asc > > 12. mailto:a...@sigxcpu.org > > 13. mailto:t...@security.debian.org > > 14. mailto:secure-testing-t...@lists.alioth.debian.org > > 15. https://security-tracker.debian.org/tracker/CVE-2018-2585 > > 16. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2585 > > 17. mailto:pkg-cli-libs-t...@lists.alioth.debian.org > > 18. http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/ > pkg-cli-libs-team >
