Sandro Tosi wrote:
>
> please attach a full log of the terminal screen where the bug happens?
$ reportbug reportbug
... SNIP ...
>>> For severity you are offered.
1 critical makes unrelated software on the system (or the whole
system)
break, or causes serious data loss, or introduces a
security
hole on systems where you install the package.
2 grave makes the package in question unusable by most or all
users,
or causes data loss, or introduces a security hole
allowing
access to the accounts of users who use the package.
....
>>> Selecting severity 1 you are offered these two security related options.
....
4 root security hole introduces a security hole allowing access
to root
(or another privileged system account), or data
normally accessible only by such accounts
5 unknown not sure, or none of the above
Selecting 5 downgrades the severity from "critical" to "grave".
I was filing a bug that clearly introduced a security problem "on
systems where you install the package", but that didn't meet the
criteria "root (or another privileged system account)", so my
classification as "Critical" was immediately downgraded to "Grave".
On these criteria the recent openssl problem was "Grave" not "critical"
as it only affects accounts of people who use the software installed, it
isn't a failure due to the software being installed.
I just thought one or other of the descriptions should be brought into
line with each other so that I didn't choose "Critical" and then get the
report downgraded because it wasn't a root hole.
My assumption was that a hole doesn't need to be root or another
privileged system account if it allows arbitrary access to a normal
users account just by being installed; but which question is made to
reflect the other is more to do with policy than software.
Perhaps I'm being over analytical, or pedantic, but I don't report
serious security issues often, and thought the classification was
unclear here.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
