On Wed, Apr 12, 2006 at 08:24:59AM +0200, Florian Weimer wrote: > * Steve Langasek:
> > A DoS does not normally qualify as a severity: grave security bug. > Why the sudden change in policy? > So far, only user-initiated denial-of-service conditions (e.g. editor > crashes when opening certain files) were not considered grave bugs. Hrm, it wasn't my understanding that this is a change in policy. According to <http://www.debian.org/Bugs/Developer#severities>, the severities for security bugs are: critical: introduces a security hole on systems where you install the package grave: introduces a security hole allowing access to the accounts of users who use the package ... important: most other stuff and I understood that these severities followed from the Security Team's policies regarding stable updates, which I was trying to honor with my adjusting of this bug. If DoS bugs are being treated as grounds for issuing DSAs, I'm fine with re-raising the severity on bugs like that; I just don't want security bugs marked as "grave" if they don't qualify for security updates in stable. You can argue, depending on the type of service, that a remote DoS makes a package unusable. That doesn't seem to apply to a database server that is unlikely to be on the public Internet, though. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
