subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bre...@apache.org
Subject svn commit: r1464262 - /subversion/site/publish/faq.html
Date Thu, 04 Apr 2013 02:56:02 GMT
Author: breser
Date: Thu Apr  4 02:56:02 2013
New Revision: 1464262

URL: http://svn.apache.org/r1464262
Log:
Add CVSSv2 section to FAQ.

* publish/faq.html
  (cvssv2): New answer.

Modified:
    subversion/site/publish/faq.html

Modified: subversion/site/publish/faq.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/faq.html?rev=1464262&r1=1464261&r2=1464262&view=diff
==============================================================================
--- subversion/site/publish/faq.html (original)
+++ subversion/site/publish/faq.html Thu Apr  4 02:56:02 2013
@@ -293,6 +293,8 @@ validating server certificate</tt> error
 <li><a href="#baton">What's a 'baton'?</a></li> 
 <li><a href="#def-wedged-repository">What do you mean when you say that
     repository is 'wedged'?</a></li>
+<li><a href="#cvssv2">What is CVSSv2 and what do the score and vector
+    mean?</a></li>
 </ul>
 
 </div>
@@ -4489,6 +4491,87 @@ real data loss in the repository.</p>
 
 </div>
 
+<div class="h3" id="cvssv2">
+<h3>What is CVSSv2 and what do the score and vector mean?</h3>
+  <a class="sectionlink" href="#cvssv2"
+	  title="Link to this section">&para;</a>
+</h3>
+
+
+<p>Subversion has begun using CVSSv2 in our security advisories so you 
+will now see a CVSSv2 Base Score and Vector in the Severity section of our
+advisories.  CVSSv2 is the current version of the Common Vulnerability
+Scoring System which is an open industry standard for assessing the severity
+of computer system security vulnerabilities.  <a href="http://www.first.org/">
+FIRST</a> maintains the the <a href="http://www.first.org/cvss/cvss-guide.html">
+documentation</a> for the standard.
+</p>
+
+<p>The score is a numerical number in the range of 0 to 10 with less risky
+vulnerabilities scoring lower and more risky vunerabilities scoring higher.
+The score is calculated by determining the metrics of the vunerability and then
+calculating the score based on those metrics.  If you want to understand how a
+score was determined you would need the vector and an understanding of the
+<a href="http://www.first.org/cvss/cvss-guide.html#i3.2">formula as specified
+by the standard</a>.
+</p>
+
+<p>The vector is an <a href="http://www.first.org/cvss/cvss-guide.html#i2.4">
+abbreviated description</a> of the metrics that apply to the vulnerability.
+</p>
+
+<p>CVSSv2 provides for 3 types of metrics and scores; base, temporal and
+environmental.  The Subversion project will only ever provide the base 
+score and metrics.  As a project we cannot determine the environmental
+risks of the various installations so it is not possible for us to
+calculate the environmental metrics.  The temporal metrics are for factors
+that may change over time.  We do not update our advisories once published
+so it's not possible for us to track these changing values.
+</p>
+
+<p>Some vulnerabilities require specific configurations or environmental
+factors in order to be exploited.  CVSSv2 specifies that the Access Complexity
+metric consider how common such a configuration is.  As a result, a
+vulnerability that requires an unusual configuration will have a low score.
+The scores can help you prioritize how quickly you need to react to an advisory
+but as a result of the Access Complexity metric you should still consider how
+the vulnerability impacts your installation.
+</p>
+
+<p>When calculating the Availability Impact metric of server vulnerabilities
+the Subversion project will use the value of Complete within the context of
+Subversion and not the host system.  For example when considering a Denial of
+Service attack the Availability Impact metric will be calculated as Complete if
+the vulnerability allows an attacker to make the Subversion server completely
+inaccessible.  On the other hand if the attack only made the Subversion server
+slow or limited the number of successful connections it would be rated as
+Partial.
+</p>
+
+<p>When calculating the Integrity Impact metric of server vulnerabilities the
+Subversion project will use the value of Complete when history of the
+Subversion repositories may be changed or when the ability to modify any file
+on the host system occurs.  The ability to change any file (while leaving the
+appropriate history trail) in violation of any authentication or authorization
+requirements will be treated as Partial.
+</p>
+
+<p>When calculating the Confidentiality Impact metric of server vulnerabilities
+the Subversion project will use the value of Complete when all files in the 
+repository may be read regardless of any authentiation or authorizaiton
+requirements.  If only some files may be read it will be considered Partial.
+</p>
+
+<p>As a result of how we calculate these impact metrics you may see advisories
+in vulnerability databases or vendor advisories that have a different score.
+For instance an Linux distribution that provides a binary package of Subversion
+may score the full exposure of the contents of the Subversion repository
+hosted on the system as only a Partial Confidentiality Impact, resulting in
+a lower score.
+</p>
+
+</div>
+
 </div>
 
 </div>



Mime
View raw message