Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > linux.debian.security > #6502

Re: DSA Urgency Critical

From Salvatore Bonaccorso <carnil@debian.org>
Newsgroups linux.debian.security
Subject Re: DSA Urgency Critical
Date 2026-04-26 21:20 +0200
Message-ID <MOdbj-CbM-5@gated-at.bofh.it> (permalink)
References <MOdbj-CbM-7@gated-at.bofh.it> <MOdbj-CbM-9@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hi,

On Thu, Apr 23, 2026 at 02:19:18PM +0000, MOESSBAUER, Felix wrote:
> On Thu, 2026-04-23 at 13:24 +0200, Christoph Steiger wrote:
> > Hi all,
> > 
> > currently DSA have the following urgency field values: high, medium, 
> > low, unimportant, not yet assigned and end of life.
> 
> Hi,
> 
> the question is about the security tracker data, hence forwarding to
> the debian-security-tracker ML.
> 
> Felix
> 
> > 
> > In other formats, one example being the OSSF, the severity of a 
> > vulnerability is rated with the CVSS scoring system [1]. I know that 
> > Debian does not adhere to that scoring system, but the ratings of a 
> > score are very similar to the DSA Urgency field [2] (Section 5, Table 
> > 14): Critical, High, Medium, Low and None.
> > 
> > I could not find any "hard" criteria for the assessment of the Urgency 
> > of DSAs, and I assume this is done by intuition of the Debian security 
> > team. Most of the people involved in a vulnerability remediation process 
> > are used to the CVSS scoring system and its ratings (or so I have heard, 
> > I am not one myself). Having such similar rating names might lead to 
> > confusion about their meaning as it might be different and thus cause 
> > friction in vulnerability remediation processes.
> > 
> > So my first questions would be how the Urgency is determined, and if the 
> > determination is somewhat related to the CVSS qualitative ratings? And 
> > secondly what would we think about adding a new Urgency: critical? Would 
> > it be useful and how much effort would it be to implement?

They are documented here:
https://security-team.debian.org/security_tracker.html#severity-levels
Note that nowdays they are almost never used (apart unimportant).
Everyone needs to make their own assessment on the speciic issue in
their context.

So basically, no I do not see we would add another urgency "critical"
value here.

As a side note, you will encounter for some issues absolutely odd
resulting CVSS scoring in highest ranking which make no sense at all.

Regards,
Salvatore

Back to linux.debian.security | Previous | Next | Find similar

Thread

Re: DSA Urgency Critical Salvatore Bonaccorso <carnil@debian.org> - 2026-04-26 21:20 +0200

csiph-web