Merge "Updated CVSS v3.x"
This commit is contained in:
Zuul
Gerrit Code Review
commit
1bdfec3baa
@ -2,14 +2,3 @@
|
|||||||
.. begin-CVE
|
.. begin-CVE
|
||||||
.. end-CVE
|
.. end-CVE
|
||||||
|
|
||||||
.. CentOS-begin
|
|
||||||
.. CentOS-end
|
|
||||||
|
|
||||||
.. CVE-visibility-begin
|
|
||||||
.. CVE-visibility-end
|
|
||||||
|
|
||||||
.. Debian-begin
|
|
||||||
.. Debian-end
|
|
||||||
|
|
||||||
.. CVE-visibility-1-begin
|
|
||||||
.. CVE-visibility-1-end
|
|
||||||
|
|||||||
@ -4,81 +4,61 @@
|
|||||||
CVE Maintenance
|
CVE Maintenance
|
||||||
===============
|
===============
|
||||||
|
|
||||||
On a monthly basis, the master development branch of |prod| is scanned for
|
|
||||||
|CVE|'s and the reports that are generated are reviewed by the Security team.
|
|
||||||
|
|
||||||
.. only:: partner
|
.. only:: partner
|
||||||
|
|
||||||
.. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
|
.. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
|
||||||
:start-after: begin-CVE
|
:start-after: begin-CVE
|
||||||
:end-before: end-CVE
|
:end-before: end-CVE
|
||||||
|
|
||||||
.. only:: starlingx
|
.. only:: starlingx
|
||||||
|
|
||||||
|
On a monthly basis, the master development branch of StarlingX is scanned
|
||||||
|
for CVEs using the third party tool ``Vulscan`` to provide an unbiased view
|
||||||
|
of vulnerabilities. The generated reports are reviewed by the Security team.
|
||||||
|
For |CVE|'s which meet StarlingX's CVE Fix Criteria Policy as documented
|
||||||
|
below, fixes are provided in the StarlingX master branch.
|
||||||
|
|
||||||
For |CVE|'s which meet StarlingX's ``CVE Fix Criteria Policy`` as documented
|
.. note::
|
||||||
below, fixes are provided for the |CVE| in the StarlingX master branch.
|
|
||||||
|
There are no scans executed or |CVE| fixes implemeneted on the released
|
||||||
|
versions / branches on StarlingX.
|
||||||
|
|
||||||
For Debian-based versions of |prod| |deb-release-ver|:
|
For the current Debian-based versions of StarlingX:
|
||||||
|
|
||||||
|
- |CVSS| v3.x base scores and base metrics are used in the |CVE| fix criteria
|
||||||
|
|
||||||
.. only:: partner
|
- The |CVE| ``Fix Criteria Policy`` is:
|
||||||
|
|
||||||
.. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
|
- Main Fix Criteria
|
||||||
:start-after: Debian-begin
|
|
||||||
:end-before: Debian-end
|
|
||||||
|
|
||||||
- The third party tool ``Vulscan`` is used to scan for |CVE|'s to provide an
|
- |CVSS| v3.x Base score >= 7.0
|
||||||
unbiased view of vulnerabilities
|
- Base Metrics has the following:
|
||||||
|
|
||||||
- |CVSS| v3 base scores and base metrics are used in the |CVE| fix criteria
|
- Attack Vector: Network
|
||||||
|
- Attack Complexity: Low
|
||||||
|
- Privileges Required: None or Low
|
||||||
|
- Availability Impact: High or Low
|
||||||
|
- User Interaction: None
|
||||||
|
- A correction is available upstream
|
||||||
|
|
||||||
- The |CVE| ``Fix Criteria Policy`` is:
|
- OR, visibility is HIGH and a correction is available upstream
|
||||||
|
|
||||||
- Main Fix Criteria
|
In the past, for older CentOS-based versions of StarlingX:
|
||||||
|
|
||||||
|
- |CVSS| v2 base scores and base vectors were used in the |CVE| fix criteria
|
||||||
|
|
||||||
|
- The |CVE| ``Fix Criteria Policy`` was:
|
||||||
|
|
||||||
- |CVSS| v3 Base score >= 7.0
|
- Main Fix Criteria
|
||||||
- Base Metrics has the following:
|
|
||||||
|
|
||||||
- Attack Vector: Network
|
- |CVSS| v2 Base score >= 7.0
|
||||||
- Attack Complexity: Low
|
- Base Vector has the following:
|
||||||
- Privileges Required: None or Low
|
|
||||||
- Availability Impact: High or Low
|
|
||||||
- User Interaction: None
|
|
||||||
- A correction is available upstream
|
|
||||||
|
|
||||||
- OR, visibility is HIGH and a correction is available upstream
|
- Access Vector: Network
|
||||||
|
- Access Complexity: Low
|
||||||
|
- Authentication: None or Single
|
||||||
|
- Availability Impact: Partial/Complete
|
||||||
|
|
||||||
|
- A correction was available upstream
|
||||||
|
|
||||||
.. only:: partner
|
- OR, visibility was HIGH and a correction was available upstream
|
||||||
|
|
||||||
.. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
|
|
||||||
:start-after: CVE-visibility-1-begin
|
|
||||||
:end-before: CVE-visibility-1-end
|
|
||||||
|
|
||||||
For older CentOS-based versions of |prod|:
|
|
||||||
|
|
||||||
.. only:: partner
|
|
||||||
|
|
||||||
.. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
|
|
||||||
:start-after: CentOS-begin
|
|
||||||
:end-before: CentOS-end
|
|
||||||
|
|
||||||
- |CVSS| v2 base scores and base vectors are used in the |CVE| fix criteria
|
|
||||||
- The |CVE| ``Fix Criteria Policy`` is:
|
|
||||||
|
|
||||||
- Main Fix Criteria
|
|
||||||
|
|
||||||
- |CVSS| v2 Base score >= 7.0
|
|
||||||
- Base Vector has the following:
|
|
||||||
|
|
||||||
- Access Vector: Network
|
|
||||||
- Access Complexity: Low
|
|
||||||
- Authentication: None or Single
|
|
||||||
- Availability Impact: Partial/Complete
|
|
||||||
- A correction is available upstream
|
|
||||||
|
|
||||||
- OR, visibility is HIGH and a correction is available upstream
|
|
||||||
|
|
||||||
.. only:: partner
|
|
||||||
|
|
||||||
.. include:: /_includes/cve-maintenance-0eaf7f8697bc.rest
|
|
||||||
:start-after: CVE-visibility-begin
|
|
||||||
:end-before: CVE-visibility-end
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user