在http://people.ubuntu.com/~ubuntu-security/软件包的安全补丁已公布并与 Mitre 相应的 CVE 关联。
我只是想知道“优先级”是如何设置的。例如,jdk 包中的漏洞利用 cvss v2 基值为 10.0(点击链接至 NVD这里),但从 ubuntu 视图来看,优先级只有“中等”,而心血基于 5.0 的 cvss v2 具有“高”优先级。
这个优先级字段只是人工调查的结果吗,还是我混合了任何东西?
答案1
还有安装基础和使用情况的考虑。Bash 几乎存在于每个 Ubuntu 安装中,是大量脚本的核心,而 Java ... 则不然。我任何时候都认为 bash 漏洞比 Java 漏洞更受重视。(而且听人们说,Java 漏洞时不时就会出现。)
这安全团队维基CVE Tracker 的链接自述,其中描述了优先级:
negligible Something that is technically a security problem, but is
only theoretical in nature, requires a very special
situation, has almost no install base, or does no real
damage. These tend not to get backport from upstreams,
and will likely not be included in security updates unless
there is an easy fix and some other issue causes an update.
low Something that is a security problem, but is hard to
exploit due to environment, requires a user-assisted
attack, a small install base, or does very little damage.
These tend to be included in security updates only when
higher priority issues require an update, or if many
low priority issues have built up.
medium Something is a real security problem, and is exploitable
for many people. Includes network daemon denial of service
attacks, cross-site scripting, and gaining user privileges.
Updates should be made soon for this priority of issue.
high A real problem, exploitable for many people in a default
installation. Includes serious remote denial of services,
local root privilege escalations, or data loss.
critical A world-burning problem, exploitable for nearly all people
in a default installation of Ubuntu. Includes remote root
privilege escalations, or massive data loss.
在这种情况下,Shellshock 是一个影响默认安装软件(bash)的错误。因此,它具有很高的优先级。
据我所知,优先事项是由人们在错误分类。