On Wed, Jan 29, 2025 at 03:22:02PM +0100, Rafał Lichwała wrote: > On 29.01.2025 2:43 PM, Dan Ritter wrote: > > CVSS are often bogus. > > Hmmm... I'm not sure what you mean. All security announcements in DSAs are > referring to CVSS, so... what's the source of such opinion? > > > Most recently: [1]https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ > Did you actually read and understand the entire article?
> Yeah, another blog and opinion. A blog by the author of cURL. I would submit that his opinion is extremely relevant, if for no other reason that there is hardly a more important/commonly used piece of network software out there. > Do we (debians) have some better > alternatives? > Yes, you read the CVE, you look at how the CVSS score was derived, you adjust as need for your specific use case, and then you make a decision based on that. > Are there plans to switch to other solution? Or maybe just discussion > about such switch? > Many alternatives are under discussion, but the industry is largely driven by people who have a vested interested in making every vulnerability seem as critical as possible. Then they can sell security scanning and remediation solutions for a lot of money. If every vulnerability was basically "this might be a problem for 0.1% of users and a minor problem at that" then they would have a hard time selling their products and services. > You say: minor, minor, it appears to only exist in Android > > Really? :-) > Yes, really, that's what the security tracker and related sources state. > I read the notes. You sent the links, you should read them. > > Another misunderstanding - sorry maybe that's my "language side-effect" > ;-) > > I sent the links, but it seems I don't fully understand them, so I ask for > explanation. > > Then you cite some parts form that links in plain text, so I guess you > understand them better and (again - I guess) you fully agree with those > statements. > So could you please explain me what's wrong with my understanding? > What is happening here is that Debian tracks this CVE as affecting its zlib package because in theory someone could take the source of zlib and modify it to produce the vulnerable binary. This is something that people should know about, since taking and modifying/rebuilding Debian source packages is rather common. However, Debian itself does *not* build the affected component. So, it makes no sense for Debian as a project to put limited effort into fixing such a vulnerability. If fixing it is important to you personally, then you are welcome to figure out the patch or patches that apply, apply them, test the resulting package, and the communicate with the security team and release managers to have it included in the next stable point release (which will probably be sometime in March). Regards, -Roberto -- Roberto C. Sánchez
