You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by br...@apache.org on 2013/04/04 04:56:02 UTC
svn commit: r1464262 - /subversion/site/publish/faq.html
Author: breser
Date: Thu Apr 4 02:56:02 2013
New Revision: 1464262
URL: http://svn.apache.org/r1464262
Log:
Add CVSSv2 section to FAQ.
* publish/faq.html
(cvssv2): New answer.
Modified:
subversion/site/publish/faq.html
Modified: subversion/site/publish/faq.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/faq.html?rev=1464262&r1=1464261&r2=1464262&view=diff
==============================================================================
--- subversion/site/publish/faq.html (original)
+++ subversion/site/publish/faq.html Thu Apr 4 02:56:02 2013
@@ -293,6 +293,8 @@ validating server certificate</tt> error
<li><a href="#baton">What's a 'baton'?</a></li>
<li><a href="#def-wedged-repository">What do you mean when you say that
repository is 'wedged'?</a></li>
+<li><a href="#cvssv2">What is CVSSv2 and what do the score and vector
+ mean?</a></li>
</ul>
</div>
@@ -4489,6 +4491,87 @@ real data loss in the repository.</p>
</div>
+<div class="h3" id="cvssv2">
+<h3>What is CVSSv2 and what do the score and vector mean?</h3>
+ <a class="sectionlink" href="#cvssv2"
+ title="Link to this section">¶</a>
+</h3>
+
+
+<p>Subversion has begun using CVSSv2 in our security advisories so you
+will now see a CVSSv2 Base Score and Vector in the Severity section of our
+advisories. CVSSv2 is the current version of the Common Vulnerability
+Scoring System which is an open industry standard for assessing the severity
+of computer system security vulnerabilities. <a href="http://www.first.org/">
+FIRST</a> maintains the the <a href="http://www.first.org/cvss/cvss-guide.html">
+documentation</a> for the standard.
+</p>
+
+<p>The score is a numerical number in the range of 0 to 10 with less risky
+vulnerabilities scoring lower and more risky vunerabilities scoring higher.
+The score is calculated by determining the metrics of the vunerability and then
+calculating the score based on those metrics. If you want to understand how a
+score was determined you would need the vector and an understanding of the
+<a href="http://www.first.org/cvss/cvss-guide.html#i3.2">formula as specified
+by the standard</a>.
+</p>
+
+<p>The vector is an <a href="http://www.first.org/cvss/cvss-guide.html#i2.4">
+abbreviated description</a> of the metrics that apply to the vulnerability.
+</p>
+
+<p>CVSSv2 provides for 3 types of metrics and scores; base, temporal and
+environmental. The Subversion project will only ever provide the base
+score and metrics. As a project we cannot determine the environmental
+risks of the various installations so it is not possible for us to
+calculate the environmental metrics. The temporal metrics are for factors
+that may change over time. We do not update our advisories once published
+so it's not possible for us to track these changing values.
+</p>
+
+<p>Some vulnerabilities require specific configurations or environmental
+factors in order to be exploited. CVSSv2 specifies that the Access Complexity
+metric consider how common such a configuration is. As a result, a
+vulnerability that requires an unusual configuration will have a low score.
+The scores can help you prioritize how quickly you need to react to an advisory
+but as a result of the Access Complexity metric you should still consider how
+the vulnerability impacts your installation.
+</p>
+
+<p>When calculating the Availability Impact metric of server vulnerabilities
+the Subversion project will use the value of Complete within the context of
+Subversion and not the host system. For example when considering a Denial of
+Service attack the Availability Impact metric will be calculated as Complete if
+the vulnerability allows an attacker to make the Subversion server completely
+inaccessible. On the other hand if the attack only made the Subversion server
+slow or limited the number of successful connections it would be rated as
+Partial.
+</p>
+
+<p>When calculating the Integrity Impact metric of server vulnerabilities the
+Subversion project will use the value of Complete when history of the
+Subversion repositories may be changed or when the ability to modify any file
+on the host system occurs. The ability to change any file (while leaving the
+appropriate history trail) in violation of any authentication or authorization
+requirements will be treated as Partial.
+</p>
+
+<p>When calculating the Confidentiality Impact metric of server vulnerabilities
+the Subversion project will use the value of Complete when all files in the
+repository may be read regardless of any authentiation or authorizaiton
+requirements. If only some files may be read it will be considered Partial.
+</p>
+
+<p>As a result of how we calculate these impact metrics you may see advisories
+in vulnerability databases or vendor advisories that have a different score.
+For instance an Linux distribution that provides a binary package of Subversion
+may score the full exposure of the contents of the Subversion repository
+hosted on the system as only a Partial Confidentiality Impact, resulting in
+a lower score.
+</p>
+
+</div>
+
</div>
</div>
Re: svn commit: r1464262 - /subversion/site/publish/faq.html
Posted by Daniel Shahaf <da...@elego.de>.
Two nits:
breser@apache.org wrote on Thu, Apr 04, 2013 at 02:56:02 -0000:
> +of computer system security vulnerabilities. <a href="http://www.first.org/">
> +FIRST</a> maintains the the <a href="http://www.first.org/cvss/cvss-guide.html">
> +documentation</a> for the standard.
Should be instead:
... vulnerabilities. <a href="..."
>FIRST</a> maintains ...
to avoid leading underlined whitespace.
> +</p>
> +
> +<p>The score is a numerical number in the range of 0 to 10 with less risky
s/numerical//
Re: svn commit: r1464262 - /subversion/site/publish/faq.html
Posted by Daniel Shahaf <da...@elego.de>.
Two nits:
breser@apache.org wrote on Thu, Apr 04, 2013 at 02:56:02 -0000:
> +of computer system security vulnerabilities. <a href="http://www.first.org/">
> +FIRST</a> maintains the the <a href="http://www.first.org/cvss/cvss-guide.html">
> +documentation</a> for the standard.
Should be instead:
... vulnerabilities. <a href="..."
>FIRST</a> maintains ...
to avoid leading underlined whitespace.
> +</p>
> +
> +<p>The score is a numerical number in the range of 0 to 10 with less risky
s/numerical//