Re: How to see the list of CRITICALLY vulnerable packages in Debian?
On Sat, Dec 25, 2021 at 11:51:50PM +0100, maxwillb wrote: > December 25, 2021 4:16:59 PM CET "Andrew M.A. Cater" > wrote:On Sat, Dec 25, 2021 at 03:36:12PM +0100, maxwillb wrote: > > > So you're raising issues that everyone knows but can't do a great deal about > > Then what did you mean by "It's not as if people are massively dropping the > ball here" ? > I meant that folk are aware: that we're not hiding information: that bug information and NVD levels are available - though at the level of the individual bug.. Debian does take part in co-ordinated responsible disclosure with other Linux distributions, does maintain a security team - it's not as if the Project as a whole doesn't care. > By the way, I'm not criticizing Debian. I know it's all volunteers, and > Debian can't make them fix Chromium, or any other package on that list. > > I just wanted to know if there was a way to filter this list by (NVD) > severity. Check with the Debian security folk - ask on debian-security mailing list? The best info I had was the URL I gave you at the beginning of one of my messages. All the very best, as ever, Andy Cater [_Not_ one of the security folk] > > Merry Christmas! > > -- > Sent with https://mailfence.com > Secure and private email >
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
December 25, 2021 4:16:59 PM CET "Andrew M.A. Cater" wrote:On Sat, Dec 25, 2021 at 03:36:12PM +0100, maxwillb wrote: > So you're raising issues that everyone knows but can't do a great deal about Then what did you mean by "It's not as if people are massively dropping the ball here" ? By the way, I'm not criticizing Debian. I know it's all volunteers, and Debian can't make them fix Chromium, or any other package on that list. I just wanted to know if there was a way to filter this list by (NVD) severity. Merry Christmas! -- Sent with https://mailfence.com Secure and private email
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
December 25, 2021 5:41:40 PM CET to...@tuxteam.de wrote:On Sat, Dec 25, 2021 at 05:32:58PM +0100, maxwillb wrote: > Different folks have different criteria for different reasons, so > whether I know a better (according to my criteria?) source is totally > irrelevant here. There are no viable alternatives to NVD. Merry Christmas! -- Sent with https://mailfence.com Secure and private email
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
On Sat, Dec 25, 2021 at 05:32:58PM +0100, maxwillb wrote: > December 25, 2021 5:11:20 PM CET to...@tuxteam.de wrote:On Sat, Dec 25, 2021 > at 04:56:31PM +0100, maxwillb wrote: > > > some NVD database... > > Do you know a better source that provides CVE impact metrics? That's not the point, and you know :) Different folks have different criteria for different reasons, so whether *I* know a better (according to my criteria?) source is totally irrelevant here. Cheers -- t signature.asc Description: PGP signature
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
December 25, 2021 5:11:20 PM CET to...@tuxteam.de wrote:On Sat, Dec 25, 2021 at 04:56:31PM +0100, maxwillb wrote: > some NVD database... Do you know a better source that provides CVE impact metrics? https://www.cvedetails.com/cve/CVE-2021-37973/ has this one too, but they list the outdated 6.8 rating, which NVD updated to 9.8 (because it's actively being exploited in the wild) Merry Christmas! -- Sent with https://mailfence.com Secure and private email
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
December 25, 2021 1:27:03 PM CET Dan Ritter wrote:maxwillb wrote: > Debian doesn't ship Google Chrome. Chromium is a subset of Chrome. This vulnerability is in that subset. HTH Merry Christmas! -- Sent with https://mailfence.com Secure and private email
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
On Sat, Dec 25, 2021 at 04:56:31PM +0100, maxwillb wrote: > > > December 25, 2021 4:04:03 PM CET Andy Smith wrote:On > Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: > > > > Dear max, I am the ghost of Christmas Open Source and I encourage you to > > ask for a full refund from Debian and all other volunteer projects that you > > are unsatisfied with! > > I know that we are not allowed to criticize Debian [...] ? I think you /are/ allowed to criticize whatever you want, but you have to accept critique yourself in exchange. And oh, if you want to correlate Debian's CVEs with some NVD database... feel free to automate that. I'm sure people around Debian will support that, as long as it is compatible with licenses and stuff. > Merry Christmas! Same to you all. Cheers -- t signature.asc Description: PGP signature
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
December 25, 2021 4:04:03 PM CET Andy Smith wrote:On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: > Dear max, I am the ghost of Christmas Open Source and I encourage you to ask > for a full refund from Debian and all other volunteer projects that you are > unsatisfied with! I know that we are not allowed to criticize Debian, because it's free and made by volunteers. And I wasn't criticizing it. I was just correcting Andrew who claimed that Debian is "not dropping the ball". Merry Christmas! -- Sent with https://mailfence.com Secure and private email
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: > No dev so much as bothered to click on the 'NVD' link? > > Merry Christmas! Dear max, I am the ghost of Christmas Open Source and I encourage you to ask for a full refund from Debian and all other volunteer projects that you are unsatisfied with! WOOOooOh
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
December 25, 2021 1:51:39 PM CET "Andrew M.A. Cater" wrote:On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: > It's not as if people are massively dropping the ball here, in spite of your > apprehension. I'm sure Debian is doing its best. It's just that it's not enough: https://security-tracker.debian.org/tracker/CVE-2021-30521 ~6 months old. HIGH severity on NVD. "Not yet assigned" on Debian. https://security-tracker.debian.org/tracker/CVE-2021-37973 ~3 months old. CRITICAL severity on NVD. "Not yet assigned" on Debian. etc. etc. ... But I don't want to click on every one of these links. I just want to filter the vulnerabilities by their NVD severity. Hence this question. -- Sent with https://mailfence.com Secure and private email
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
On Sat, Dec 25, 2021 at 12:07:26AM +0100, maxwillb wrote: > https://security-tracker.debian.org/tracker/status/release/stable > > shows the list of packages currently considered vulnerable, but it does not > show the severity. > > For example, https://nvd.nist.gov/vuln/detail/CVE-2021-37973 has a CRITICAL > severity but the Debian security tracker simply says "not assigned" (No dev > so much as bothered to click on the 'NVD' link?) > > Merry Christmas! > > -- > Sent with https://mailfence.com > Secure and private email > Hi Maxwillb If you click through any one of the CVE links, you find a link to a specific bug. That link also links to the bugs reported by other distributions, the Debian bug number and the NVD score - all the info you may need. The "not yet assigned" may be that the Debian Security Team haven't assigned it a DSA number or decided on how severe it is "to Debian". Taking the first one - first bug for aom - there's an assessment of which releases are vulnerable. There's a fixed release in testing. It links to various other bugs in Chromium. The next two CVEs for aom are also linked to the first bug and fixes backported to stable by the maintainer. It's not as if people are massively dropping the ball here, in spite of your apprehension. Hope this helps,and with very best regards as ever. Andy Cater
Re: How to see the list of CRITICALLY vulnerable packages in Debian?
maxwillb wrote: > https://security-tracker.debian.org/tracker/status/release/stable > > shows the list of packages currently considered vulnerable, but it does not > show the severity. Severity is a matter of opinion. The first opinion should be based on whether the package is even installed. Then on how important the package is. Then, perhaps, what degree of compromise is offered, and then how easy it is to exploit. But other people might have different ideas. > For example, https://nvd.nist.gov/vuln/detail/CVE-2021-37973 has a CRITICAL > severity but the Debian security tracker simply says "not assigned" (No dev > so much as bothered to click on the 'NVD' link?) Well, that one is easy: Debian doesn't ship Google Chrome. If you have Chrome on your system, you got it from some other organization. There are five bugs noted for Chromium, though, in the security-tracker.debian.org link that you already know. You should start with the listings for linux, the kernel package, since it's almost guaranteed you have that. -dsr-
How to see the list of CRITICALLY vulnerable packages in Debian?
https://security-tracker.debian.org/tracker/status/release/stable shows the list of packages currently considered vulnerable, but it does not show the severity. For example, https://nvd.nist.gov/vuln/detail/CVE-2021-37973 has a CRITICAL severity but the Debian security tracker simply says "not assigned" (No dev so much as bothered to click on the 'NVD' link?) Merry Christmas! -- Sent with https://mailfence.com Secure and private email