Hi Roberto
See below.
On Fri, 12 Apr 2024 at 00:14, Roberto C. Sánchez wrote:
> On Thu, Apr 11, 2024 at 10:23:13PM +0200, Ola Lundqvist wrote:
> > I hope you do not mind me asking but there is one thing that I would
> > like to check.
> >
> > When I look at this CVE that was previously
On Thu, Apr 11, 2024 at 10:01:49PM +0200, Ola Lundqvist wrote:
> Hi Roberto
>
> Maybe there is some counting mishap still. We may get double counting
> due to the -A and -B flags. But it should not matter so much because
> the double counting will then be both for corrected and others (at
> least
Hi Ola,
On Thu, Apr 11, 2024 at 11:11:15PM +0200, Ola Lundqvist wrote:
>
> What I typically do is to read the description, and the referenced
> material to see if the reporter seems to make sense. If there is a fix
> available read the fix. The fix typically give a lot of information.
> In this
On Thu, Apr 11, 2024 at 10:23:13PM +0200, Ola Lundqvist wrote:
> Hi fellow LTS contributors
>
> I hope you do not mind me asking but there is one thing that I would
> like to check.
>
> When I look at this CVE that was previously postponed:
>
Hi Adrian
See below.
On Thu, 11 Apr 2024 at 22:46, Adrian Bunk wrote:
>
> On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote:
> >...
> > On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
> > wrote:
> > ...
> > > Taking one of the recent changes to data/CVE/list:
> > >
> > > @@
On Thu, Apr 11, 2024 at 09:34:00PM +0200, Ola Lundqvist wrote:
>...
> On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
> wrote:
> ...
> > Taking one of the recent changes to data/CVE/list:
> >
> > @@ -6999,6 +7000,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open
> > source FreeImage
Hi fellow LTS contributors
I hope you do not mind me asking but there is one thing that I would
like to check.
When I look at this CVE that was previously postponed:
https://security-tracker.debian.org/tracker/CVE-2019-12214
The information tells that the vulnerability my in fact not be in
Hi Roberto
Maybe there is some counting mishap still. We may get double counting
due to the -A and -B flags. But it should not matter so much because
the double counting will then be both for corrected and others (at
least on average). When writing this I think I may get more
over-counting on the
Hi Adrian
On Thu, 11 Apr 2024 at 17:18, Adrian Bunk wrote:
...
> > + [buster] - freeimage (Revisit when fixed upstream, low
> > severity DoS in tool)
> > NOTE:
> > https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909
> >
> > Are you completely sure the related
Hi Santiago
Cutting down the commented part since it is rather long.
On Thu, 11 Apr 2024 at 15:34, Santiago Ruano Rincón
wrote:
...
>
> The fact of claiming a package to avoid double-work is not the problem I
> see. What brought my attention was the way you said you were working on
> freeimage.
Hi Ola,
On Wed, Apr 10, 2024 at 09:42:48PM +0200, Ola Lundqvist wrote:
>
> You can see that in 1 year and 3 months we have fixed
> 2023: 58
> 2022: 15
> 2021: 78
> 2020: 11
> 2019: 1
>
> Total (not counting CVEs for 2018 and earlier) 162.
>
> It is still a low number.
>
> And I think I found
On Thu, Apr 11, 2024 at 10:34:13AM -0300, Santiago Ruano Rincón wrote:
>...
> El 11/04/24 a las 08:25, Ola Lundqvist escribió:
>...
> > The ones I have now postponed are of the "local DoS" class. I'm here
> > interpreting that "local DoS" is the same as DoS after human
> > interaction. It is not
Hello Cyrille,
El 11/04/24 a las 09:15, Cyrille Bollu escribió:
> Why not using CVSS as a base calculation for assigning severity levels?
>
> IIRC, something like:
>
> CVSS>=8 => High
> 4<=CVSS<8 => Medium
> CVSS<4 => Low
...
Thanks for the comment!
I cannot talk for the security team, but I
Hi Ola,
El 11/04/24 a las 08:25, Ola Lundqvist escribió:
> On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón
> > El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> > > Hi all
> > >
> > > Sorry for late reply. It took me too long today to answer the CVE
> > > triaging discussion. Now to this
Hi Chris
On Thu, 11 Apr 2024 at 10:17, Chris Lamb wrote:
>
> Hey Ola,
>
> > And I think I found the counting mishap. :-)
> >
> > When a CVE is fixed, the buster tag is removed. :-D
>
> Ooh, yeah I suppose that might do it. :) Either way, congrats on
> spotting and correcting the issue…
Thank
Hey Ola,
> And I think I found the counting mishap. :-)
>
> When a CVE is fixed, the buster tag is removed. :-D
Ooh, yeah I suppose that might do it. :) Either way, congrats on
spotting and correcting the issue… and I hope my slightly terse
mail didn't come across as negative.
Regards,
--
Hi Cyrille
Yes CVSS is a good starting point. A question there is how accurate
that score is, especially for CVEs on obscure packages.
I think it is valuable to have a guideline so we can evaluate if the
CVSS is reasonable.
It is sometimes a little dangerous to only focus on a number. :-)
But
Why not using CVSS as a base calculation for assigning severity levels?
IIRC, something like:
CVSS>=8 => High
4<=CVSS<8 => Medium
CVSS<4 => Low
was a good guidance in my previous job.
FYI, I've attached the table that drove us to these score.
Cyrille
Le mercredi 10 avril 2024 à 23:30 +0200,
Hi,
On Wed, 10 Apr 2024, Ola Lundqvist wrote:
> > Some package maintainers will typically decide to fix it via a point
> > release. But they rarely update the triaging to document "postponed" or
> > "ignored". So that's why it's up to the LTS team to make that call
> > when we are (alone) in
Hi Santiago
See below.
On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón
wrote:
>
> Hi Ola,
>
> El 10/04/24 a las 22:08, Ola Lundqvist escribió:
> > Hi all
> >
> > Sorry for late reply. It took me too long today to answer the CVE
> > triaging discussion. Now to this issue.
> >
> > Regarding
20 matches
Mail list logo