Re: svn commit: r1818724 - /subversion/site/staging/faq.html

Stefan wrote on Tue, 19 Dec 2017 23:39 +0100:
> On 19/12/2017 23:35, luke1410_at_apache.org wrote:
> Originally I only intended to unbreak the links in the CVSSv2 section
> but then decided to update the documentation to CVSSv3 which we are
> using meanwhile.

Ah, thanks!

> Since I never calculated the CVSS score for a Subversion vulnerability
> before,

If you're interested, you could go through the more recent advisories
(the security/ directories in the site and in the private repository),
read the patches that fixed them, compute a CVSSv2 or CVSSv3 vector
based on that (only, without reading the in-advisory analysis), and then
compare the one you computed with the one in the advisory.

This way, when the next vulnerability is reported, you'd be better able
to help compute / review a CVSS vector for it.

> maybe someone familiar with the details could verify the
> information I changed are accurate?
>
> In principle I only replaced what was called "Complete" in CVSSv2 to
> "High" for CVSSv3 and "Partial" got changed to "Low". As far as the
> specification goes, this should be how we handle it for CVSSv3, right?

Well, that depends on what the differences between CVSSv2 and CVSSv3
are. I don't remember off the top of my head whether the semantics of
"Complete" (resp. "Partial") and "High" (resp. "Low") are equivalent.

Cheers,

Daniel
Received on 2017-12-20 01:08:22 CET