On Sun, 01 Mar 2009 10:16:27 +0100 wrote: > > (although if that's the case, i think that there is a problem > > with debian's documentation [1] since it appears to indicate that any > > and all security holes are to be reported as grave). > > It says “Most security bugs should also be set at critical or grave > severity.”. I guess you missed the “most”?
yes indeed, i have overlooked that statement. however, that is to be found in the "Tags" and not the "Severity levels" section, so i had no reason to look there. anyway, "most" means most, and the "non-most" category would primarily include no-data-compromise issues such as denial-of-services, i believe. > Anyway, I'm not really sure of the severity, it's not that easy to > exploit, and exploited anyway. I'll summarize that upstream and decide > then. it is in fact trivial to exploit: 1. place malicious launcher (one that downloads and executes your malicious script or executable, aka trojan) on a popular website, bittorrent, ftp, etc. 2. wait for unsuspecting user to visit site, download the launcher, and eventually wonder what that new icon does. 3. success. the only questionable aspects are how easy will it be for users to find these things, and how many of them blindly click without considering the consequences. most linux users are smart, but i would bet that at least 75% don't do their homework to figure out what they have before clicking on it. attackers have patience and understand the law of large numbers. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
