You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by lu...@apache.org on 2017/12/25 22:53:43 UTC
svn commit: r1819266 - in /subversion/site/publish: ./ faq.html
Author: luke1410
Date: Mon Dec 25 22:53:43 2017
New Revision: 1819266
URL: http://svn.apache.org/viewvc?rev=1819266&view=rev
Log:
* site/publish: Merge from staging.
Modified:
subversion/site/publish/ (props changed)
subversion/site/publish/faq.html
Propchange: subversion/site/publish/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Dec 25 22:53:43 2017
@@ -1 +1 @@
-/subversion/site/staging:1815037-1815041,1815121-1815122,1815143,1816503,1816509-1816618,1816773-1816926,1816940-1817033,1817142-1817435,1817659,1817713-1817720,1817862,1817969,1818080,1818083,1818206,1818340-1818384
+/subversion/site/staging:1815037-1815041,1815121-1815122,1815143,1816503,1816509-1816618,1816773-1816926,1816940-1817033,1817142-1817435,1817659,1817713-1817720,1817862,1817969,1818080,1818083,1818206,1818340-1818384,1818724
Modified: subversion/site/publish/faq.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/faq.html?rev=1819266&r1=1819265&r2=1819266&view=diff
==============================================================================
--- subversion/site/publish/faq.html (original)
+++ subversion/site/publish/faq.html Mon Dec 25 22:53:43 2017
@@ -279,7 +279,7 @@ validating server certificate</tt> error
<li><a href="#baton">What's a 'baton'?</a></li>
<li><a href="#def-wedged-repository">What do you mean when you say that
repository is 'wedged'?</a></li>
-<li><a href="#cvssv2">What is CVSSv2 and what do the score and vector
+<li><a href="#cvssv3">What is CVSSv3 and what do the score and vector
mean?</a></li>
</ul>
@@ -4355,20 +4355,21 @@ real data loss in the repository.</p>
</div>
-<div class="h3" id="cvssv2">
-<h3>What is CVSSv2 and what do the score and vector mean?
+<div id="cvssv2"></div>
+<div class="h3" id="cvssv3">
+<h3>What is CVSSv3 and what do the score and vector mean?
<a class="sectionlink" href="#cvssv2"
title="Link to this section">¶</a>
</h3>
-<p>Subversion has begun using CVSSv2 in our
-<a href="/security/#advisories">security advisories
-</a>so you will now see a CVSSv2 Base Score and Vector in the Severity section
-of our advisories. CVSSv2 is the current version of the Common Vulnerability
-Scoring System which is an open industry standard for assessing the severity
-of computer system security vulnerabilities. <a href="https://www.first.org/"
->FIRST</a> maintains the <a href="https://www.first.org/cvss/v2/guide"
+<p>Subversion is using CVSSv3 in our
+<a href="/security/#advisories">security advisories</a>
+so you will see a CVSSv3 Base Score and Vector in the Severity section of our
+advisories. CVSSv3 is the current version of the Common Vulnerability Scoring
+System which is an open industry standard for assessing the severity of
+computer system security vulnerabilities. <a href="https://www.first.org/"
+>FIRST</a> maintains the <a href="https://www.first.org/cvss/user-guide"
>documentation</a> for the standard.
</p>
@@ -4377,15 +4378,16 @@ scoring lower and more risky vunerabilit
calculated by determining the metrics of the vunerability and then calculating
the score based on those metrics. If you want to understand how a score was
determined you would need the vector and an understanding of the
-<a href="http://www.first.org/cvss/cvss-guide.html#i3.2">formula as specified
-by the standard</a>.
+<a href="https://www.first.org/cvss/specification-document#8-CVSS-v3-0-Equations
+>formula as specified by the standard</a>.
</p>
-<p>The vector is an <a href="http://www.first.org/cvss/cvss-guide.html#i2.4"
+<p>The vector is an
+<a href="https://www.first.org/cvss/specification-document#6-Vector-String"
>abbreviated description</a> of the metrics that apply to the vulnerability.
</p>
-<p>CVSSv2 provides for 3 types of metrics and scores; base, temporal and
+<p>CVSSv3 provides for 3 types of metrics and scores; base, temporal and
environmental. The Subversion project will only ever provide the base
score and metrics. As a project we cannot determine the environmental
risks of the various installations so it is not possible for us to
@@ -4395,7 +4397,7 @@ so it's not possible for us to track the
</p>
<p>Some vulnerabilities require specific configurations or environmental
-factors in order to be exploited. CVSSv2 specifies that the Access Complexity
+factors in order to be exploited. CVSSv3 specifies that the Access Complexity
metric consider how common such a configuration is. As a result, a
vulnerability that requires an unusual configuration will have a low score.
The scores can help you prioritize how quickly you need to react to an advisory
@@ -4406,33 +4408,32 @@ the vulnerability impacts your installat
<p>When calculating the Availability Impact metric of server vulnerabilities
the Subversion project will use the value of Complete within the context of
Subversion and not the host system. For example when considering a Denial of
-Service attack the Availability Impact metric will be calculated as Complete if
-the vulnerability allows an attacker to make the Subversion server completely
+Service attack the Availability Impact metric will be calculated as High if the
+vulnerability allows an attacker to make the Subversion server completely
inaccessible. On the other hand if the attack only made the Subversion server
-slow or limited the number of successful connections it would be rated as
-Partial.
+slow or limited the number of successful connections it would be rated as Low.
</p>
<p>When calculating the Integrity Impact metric of server vulnerabilities the
-Subversion project will use the value of Complete when history of the
-Subversion repositories may be changed or when the ability to modify any file
-on the host system occurs. The ability to change any file (while leaving the
-appropriate history trail) in violation of any authentication or authorization
-requirements will be treated as Partial.
+Subversion project will use the value of High when history of the Subversion
+repositories may be changed or when the ability to modify any file on the host
+system occurs. The ability to change any file (while leaving the appropriate
+history trail) in violation of any authentication or authorization requirements
+will be treated as Low.
</p>
<p>When calculating the Confidentiality Impact metric of server vulnerabilities
-the Subversion project will use the value of Complete when all files in the
+the Subversion project will use the value of High when all files in the
repository may be read regardless of any authentiation or authorizaiton
-requirements. If only some files may be read it will be considered Partial.
+requirements. If only some files may be read it will be considered Low.
</p>
<p>As a result of how we calculate these impact metrics you may see advisories
in vulnerability databases or vendor advisories that have a different score.
For instance an Linux distribution that provides a binary package of Subversion
may score the full exposure of the contents of the Subversion repository
-hosted on the system as only a Partial Confidentiality Impact, resulting in
-a lower score.
+hosted on the system as only a Low Confidentiality Impact, resulting in a lower
+score.
</p>
</div>