http://people.ubuntu.com/~ubuntu-security/cve/CVE-XXXX上CVE页面中的优先级字段

Question

在http://people.ubuntu.com/~ubuntu-security/上，公布软件包的安全补丁，并将其与Mitre的相应CVE相关联。

我只是想知道，“优先”是如何设定的。例如，jdk包中的cvss v2基值为10.0 (跟随指向NVD 这里的链接)，这是可能的，但ubuntu视图中的优先级仅为"medium"，而cvss v2基为5.0的心血的优先级为“高”。

这个优先领域是人类调查的结果，还是我混淆了什么？

Answer 1

还需要考虑安装的基础和使用情况。Bash存在于几乎所有的Ubuntu安装中，是大量脚本的核心，而Java .没那么多。任何一天，我都会给予bash漏洞比Java漏洞更高的优先级。(听到人们谈论Java，Java就会时不时地出现。)

安全小组维基链接到CVE跟踪器的自述文件，它描述了优先级：

negligible        Something that is technically a security problem, but is
                  only theoretical in nature, requires a very special
                  situation, has almost no install base, or does no real
                  damage.  These tend not to get backport from upstreams,
                  and will likely not be included in security updates unless
                  there is an easy fix and some other issue causes an update.

low               Something that is a security problem, but is hard to
                  exploit due to environment, requires a user-assisted
                  attack, a small install base, or does very little damage.
                  These tend to be included in security updates only when
                  higher priority issues require an update, or if many
                  low priority issues have built up.

medium            Something is a real security problem, and is exploitable
                  for many people.  Includes network daemon denial of service 
                  attacks, cross-site scripting, and gaining user privileges.
                  Updates should be made soon for this priority of issue.

high              A real problem, exploitable for many people in a default
                  installation.  Includes serious remote denial of services,
                  local root privilege escalations, or data loss.

critical          A world-burning problem, exploitable for nearly all people
                  in a default installation of Ubuntu.  Includes remote root
                  privilege escalations, or massive data loss.

在这种情况下，Shell休克是一个bug，影响到默认安装的一部分- bash软件。因此，这是高度优先考虑的。

据我所知，优先级是由人们在虫分类期间设定的。