This shows you the differences between two versions of the page.
|
mailing-lists:distros:stats:2023 [2023/11/06 17:39] solar add January 2023 |
mailing-lists:distros:stats:2023 [2023/12/28 20:30] (current) solar add December 2023 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Distros list statistics and data for 2023 ====== | ====== Distros list statistics and data for 2023 ====== | ||
| - | ==== Statistics by month ==== | + | ===== Statistics by month ===== |
| Statistics are grouped by month of the issue being reported to the private list. | Statistics are grouped by month of the issue being reported to the private list. | ||
| - | ^ Month ^ Reports ^ Average ^ Median ^ Min ^ Max embargo days ^ | + | ^ Month ^ All reports ^ Embargoed ^ Average ^ Median ^ Min ^ Max embargo days ^ |
| - | | 2023-01 | 16 | 43.52 | 6.78 | 1.22 | 307.22 | | + | | 2023-01 | 16 | 16 | 43.52 | 6.78 | 1.22 | 307.22 | |
| - | | 2023-02 | 14 | 23.34 | 6.93 | 0.00 | 256.01 | | + | | 2023-02 | 14 | 11 | 29.70 | 6.93 | 5.68 | 256.01 | |
| - | | 2023-03 | 11 | 28.85 | 6.83 | 4.07 | 237.20 | | + | | 2023-03 | 11 | 11 | 28.85 | 6.83 | 4.07 | 237.20 | |
| - | | 2023-04 | 4 | 7.92 | 6.21 | 4.14 | 15.13 | | + | | 2023-04 | 4 | 4 | 7.92 | 6.21 | 4.14 | 15.13 | |
| - | | 2023-05 | 12 | 7.51 | 7.68 | 2.57 | 13.99 | | + | | 2023-05 | 12 | 12 | 7.51 | 7.68 | 2.57 | 13.99 | |
| - | | 2023-06 | 7 | 26.26 | 7.99 | 1.21 | 131.43 | | + | | 2023-06 | 7 | 7 | 26.26 | 7.99 | 1.21 | 131.43 | |
| - | | 2023-07 | 3 | 3.97 | 3.11 | 1.87 | 6.93 | | + | | 2023-07 | 3 | 3 | 3.97 | 3.11 | 1.87 | 6.93 | |
| - | | 2023-08 | 1 | 7.31 | 7.31 | 7.31 | 7.31 | | + | | 2023-08 | 1 | 1 | 7.31 | 7.31 | 7.31 | 7.31 | |
| - | | 2023-09 | 12 | 9.86 | 9.63 | 1.26 | 20.27 | | + | | 2023-09 | 12 | 12 | 9.86 | 9.63 | 1.26 | 20.27 | |
| - | | 2023-10 | 6 | 8.89 | 7.96 | 7.58 | 14.01 | | + | | 2023-10 | 6 | 6 | 8.89 | 7.96 | 7.58 | 14.01 | |
| - | | Total | 86 | 21.36 | 6.97 | 0.00 | 307.22 | | + | | 2023-11 | 3 | 3 | 6.94 | 8.02 | 4.78 | 8.02 | |
| + | | 2023-12 | 4 | 4 | 7.16 | 7.35 | 4.04 | 9.91 | | ||
| + | | Total | 93 | 90 | 20.96 | 7.03 | 1.21 | 307.22 | | ||
| The data for January 2023 excludes continued handling of some Linux kernel issues by the same reporter, who started reporting that group of related issues in December 2022. | The data for January 2023 excludes continued handling of some Linux kernel issues by the same reporter, who started reporting that group of related issues in December 2022. | ||
| - | In the calculation of average, median, and minimum embargo duration above, negative values (issue already posted to oss-security before being brought to (linux-)distros) are treated as zero (this only occurred in February 2023). | + | Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which only occurred in February 2023) are excluded from the calculation of average, median, and minimum embargo duration above. |
| - | ==== Input data ==== | + | ===== Formatted input data ===== |
| + | |||
| + | For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security. | ||
| + | |||
| + | For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference. | ||
| ^ Project ^ Subjects/titles/links ^ Time at distros (UTC) \\ ... oss-security (UTC) \\ Elsewhere (UTC) ^ Embargo days ^ Planned CRD(s) \\ (exact wording) ^ CVE(s) ^ | ^ Project ^ Subjects/titles/links ^ Time at distros (UTC) \\ ... oss-security (UTC) \\ Elsewhere (UTC) ^ Embargo days ^ Planned CRD(s) \\ (exact wording) ^ CVE(s) ^ | ||
| Line 111: | Line 117: | ||
| | open-vm-tools | [vs-plain] SAML Bypass in VMware Tools CVE-2023-34058 \\ [[https://www.openwall.com/lists/oss-security/2023/10/27/1|[oss-security] CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools]] | Thu Oct 19 18:43:23 2023 \\ Fri Oct 27 08:36:14 2023 | 7.58 | October 26th, 2023 | CVE-2023-34058 | | | open-vm-tools | [vs-plain] SAML Bypass in VMware Tools CVE-2023-34058 \\ [[https://www.openwall.com/lists/oss-security/2023/10/27/1|[oss-security] CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools]] | Thu Oct 19 18:43:23 2023 \\ Fri Oct 27 08:36:14 2023 | 7.58 | October 26th, 2023 | CVE-2023-34058 | | ||
| | open-vm-tools | [vs-plain] file descriptor hijack in VMware Tools CVE-2023-34059 \\ [[https://www.openwall.com/lists/oss-security/2023/10/27/2|[oss-security] CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools]] | Thu Oct 19 18:43:46 2023 \\ Fri Oct 27 08:36:17 2023 | 7.58 | October 26th, 2023 | CVE-2023-34059 | | | open-vm-tools | [vs-plain] file descriptor hijack in VMware Tools CVE-2023-34059 \\ [[https://www.openwall.com/lists/oss-security/2023/10/27/2|[oss-security] CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools]] | Thu Oct 19 18:43:46 2023 \\ Fri Oct 27 08:36:17 2023 | 7.58 | October 26th, 2023 | CVE-2023-34059 | | ||
| + | | Intel CPUs | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2023/11/14/4|[oss-security] CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar)]] | Thu Nov 09 23:51:52 2023 \\ Tue Nov 14 18:36:44 2023 | 4.78 | November 14th, 10 am Pacific Time | CVE-2023-23583 | | ||
| + | | curl | [vs-plain] : curl pre-notification: CVE-2023-46218 (1/2) \\ [[https://www.openwall.com/lists/oss-security/2023/12/06/1|[oss-security] [SECURITY ADVISORY] curl: cookie mixed case PSL bypass]] \\ [[https://github.com/curl/curl/pull/12387]] | Tue Nov 28 07:04:22 2023 \\ Wed Dec 06 07:29:18 2023 \\ Thu Nov 23 07:16:00 2023 | 8.02 \\ -4.99 | 07:00 UTC on December 6 | CVE-2023-46218 | | ||
| + | | curl | [vs-plain] : curl pre-notification: CVE-2023-46219 (2/2) \\ [[https://www.openwall.com/lists/oss-security/2023/12/06/2|[oss-security] [SECURITY ADVISORY] curl: HSTS long file name clears contents]] \\ [[https://github.com/curl/curl/pull/12388]] | Tue Nov 28 07:04:40 2023 \\ Wed Dec 06 07:29:58 2023 \\ Thu Nov 23 07:24:00 2023 | 8.02 \\ -4.99 | 07:00 UTC on December 6 | CVE-2023-46219 | | ||
| + | | X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland \\ [[https://www.openwall.com/lists/oss-security/2023/12/13/1|[oss-security] FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3]] \\ [[https://lists.x.org/archives/xorg-announce/2023-December/003435.html]] | Tue Dec 05 21:17:38 2023 \\ Wed Dec 13 13:03:51 2023 \\ Wed Dec 13 02:02:10 2023 | 7.66 \\ 7.20 | December 13, 2023 00:00 UTC | CVE-2023-6377 \\ CVE-2023-6478 \\ ZDI-CAN-22412 \\ ZDI-CAN-22413 \\ ZDI-CAN-22561 | | ||
| + | | SSH protocol | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2023/12/18/3|[oss-security] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)]] \\ [[https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ]] | Mon Dec 11 15:40:29 2023 \\ Mon Dec 18 16:47:26 2023 \\ Tue Dec 12 20:56:36 2023 | 7.05 \\ 1.22 | 18th of December 2023 15:00 UTC | CVE-2023-48795 | | ||
| + | | Debian cpio | [vs-plain] Security vulnerability in Debian's cpio 2.13 \\ [[https://www.openwall.com/lists/oss-security/2023/12/21/8|[oss-security] Security vulnerability in Debian's cpio 2.13]] \\ [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163]] | Sun Dec 17 15:50:53 2023 \\ Thu Dec 21 16:50:17 2023 \\ Wed Dec 20 19:03:02 2023 | 4.04 \\ 3.13 | 2023-12-27 | | | ||
| + | | xarchiver | [vs-plain] xarchiver: Path traversal with crafted cpio archives \\ [[https://www.openwall.com/lists/oss-security/2023/12/27/1|[oss-security] xarchiver: Path traversal with crafted cpio archives]] | Sun Dec 17 15:50:53 2023 \\ Wed Dec 27 13:42:05 2023 | 9.91 | 2023-12-27 | | | ||
| - | ==== Extra data for prior months not included in statistics ==== | + | ===== Source input data ===== |
| - | The data here is unfortunately incomplete and unreliable, resulting from automated processing of input that wasn't meant to be fully machine-readable. | + | These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with {{stats-process.txt|this Perl script}} to produce the tables above. You should be able to reproduce that. |
| - | ^Project^Subject^Reported^Coordinated Release Date^Time of oss-security posting^CVE(s)^Days embargoed (scheduled)^Days embargoed (oss-security)^ | + | * {{stats-202301.txt}} |
| - | ^ February ^^^^^^^^ | + | * {{stats-202302.txt}} |
| - | | |less CVE-2022-46663|2023-02-01T06:55:51+00:00|2023-02-08T06:55:51+00:00|[[https://marc.info/?i=CAP9KPhB7PqqFt%3DOf8%2B6CKiaV%3D%2Bp%3DWwYOjG3QF3TEBDDop1125g%40mail.gmail.com|2023-02-07T18:49:47+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-46663|CVE-2022-46663]]|7.00|6.46| | + | * {{stats-202303.txt}} |
| - | ^ January ^^^^^^^^ | + | * {{stats-202304.txt}} |
| - | | |Preview of X.Org Security Advisory for 2023-02-07|2023-01-30T22:33:32+00:00|2023-02-06T22:33:32+00:00|[[https://marc.info/?i=9afca616-11f3-ac36-4d5f-918487e1a756%40redhat.com|2023-02-07T01:36:35+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-0494|CVE-2022-0494]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0494|CVE-2023-0494]]|7.00|7.12| | + | * {{stats-202305.txt}} |
| - | | |pesign: Local privilege escalation on pesign systemd service|2023-01-27T20:44:55+00:00|2023-02-03T20:44:55+00:00|[[https://marc.info/?i=CAOGQQ29pYOHP2puP-nAzO%2BQnbc-OouwnVFpQVY_%3DOvVo12%3DMkw%40mail.gmail.com|2023-01-31T15:59:19+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-3560|CVE-2022-3560]]|7.00|3.79| | + | * {{stats-202306.txt}} |
| - | | |Embargoed OpenSSL security issues|2023-01-25T12:02:01+00:00|2023-02-07T00:00:00+00:00|[[https://marc.info/?i=CAPCCXc9UR7FmvkEvyy2_H%3Dh4Y8cSMtJC7i8FsypBQye_FXp5GA%40mail.gmail.com|2023-02-07T19:28:51+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-4203|CVE-2022-4203]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-4304|CVE-2022-4304]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-4450|CVE-2022-4450]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0215|CVE-2023-0215]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0216|CVE-2023-0216]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0217|CVE-2023-0217]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0286|CVE-2023-0286]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0401|CVE-2023-0401]]|12.46|13.29| | + | * {{stats-202307.txt}} |
| - | | |...|2023-01-24T11:58:47+00:00|2023-01-31T11:58:47+00:00|[[https://marc.info/?i=Y9FhZ0vKzTx4WTCH%40larwa.hq.kempniu.pl|2023-01-25T17:05:43+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-3094|CVE-2022-3094]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-3736|CVE-2022-3736]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-3924|CVE-2022-3924]]|7.00|1.21| | + | * {{stats-202308.txt}} |
| - | | |Re: Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951)|2023-01-17T21:53:09+00:00|2023-01-24T21:53:09+00:00|[[https://marc.info/?i=20230124160818.wlaspet7jsmths2p%40yuggoth.org|2023-01-24T16:08:18+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-47951|CVE-2022-47951]]|7.00|6.75| | + | * {{stats-202309.txt}} |
| - | | |null pointer dereference in Linux kernel|2023-01-15T05:12:43+00:00|2023-01-22T05:12:43+00:00|[[https://marc.info/?i=CADW8OBuhuCTq-MvcFuAxOc6pWrkmOd-mwV9yasNRfbnD9s85-g%40mail.gmail.com|2023-01-18T20:26:46+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2023-0394|CVE-2023-0394]]|7.00|3.62| | + | * {{stats-202310.txt}} |
| - | | |Re: PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination|2023-01-13T11:17:46+00:00|2023-01-20T11:17:46+00:00|[[https://marc.info/?i=1295588158.7348.1674217183817%40appsuite-guard.open-xchange.com|2023-01-20T12:19:43+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2023-22617|CVE-2023-22617]]|7.00|7.04| | + | * {{stats-202311.txt}} |
| - | | |Re: Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15|2023-01-12T23:41:22+00:00|2023-01-19T23:41:22+00:00|[[https://marc.info/?i=7b3fdf01-8189-567d-bf15-ba8478eaba79%40oracle.com|2023-01-17T16:47:45+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-4883|CVE-2022-4883]]|7.00|4.71| | + | * {{stats-202312.txt}} |
| - | | |...|2023-01-12T14:17:07+00:00|2023-01-19T14:17:07+00:00|[[https://marc.info/?i=CAE-GootkXskaRKTmdPg1KsL3cm2oPq8DtL14MoupwX_CaVDeXw%40mail.gmail.com|2023-01-19T00:33:43+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2023-22809|CVE-2023-22809]]|7.00|6.42| | + | |
| - | | |Netfilter vulnerability disclosure|2023-01-11T01:26:17+00:00|2023-01-18T01:26:17+00:00|[[https://marc.info/?i=CAHH-0UfWddrL_x9n1eG1oJ6iurew7D6Yb%3Dz%3D068BfV7uJGSRGw%40mail.gmail.com|2023-01-13T15:22:47+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-1015|CVE-2022-1015]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0179|CVE-2023-0179]]|7.00|2.54| | + | |
| - | | |Re: Vulnerability in OpenStack Swift (CVE-2022-47950)|2023-01-11T00:35:00+00:00|2023-01-18T00:35:00+00:00|[[https://marc.info/?i=20230117160111.htaewnl2wmuqlgq7%40yuggoth.org|2023-01-17T16:01:11+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-47950|CVE-2022-47950]]|7.00|6.62| | + | |
| - | | |Upcoming Git security fix release|2023-01-10T23:08:02+00:00|2023-01-17T23:08:02+00:00|[[https://marc.info/?i=xmqqfscit2ct.fsf%40gitster.g|2023-01-17T18:06:10+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-23521|CVE-2022-23521]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-41903|CVE-2022-41903]]|7.00|6.75| | + | |
| - | | |Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15|2023-01-10T18:12:18+00:00|2023-01-17T18:12:18+00:00|[[https://marc.info/?i=7b3fdf01-8189-567d-bf15-ba8478eaba79%40oracle.com|2023-01-17T16:47:45+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-44617|CVE-2022-44617]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-46285|CVE-2022-46285]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-4883|CVE-2022-4883]]|7.00|6.92| | + | |
| - | | |Re: CVE-2022-46176: Cargo does not check SSH host keys|2023-01-05T16:48:13+00:00|2023-01-12T16:48:13+00:00|[[https://marc.info/?i=0c602545-dfad-4d49-beaa-b5094b343af8%40app.fastmail.com|2023-01-10T16:45:06+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-46176|CVE-2022-46176]]|7.00|4.96| | + | |