Table of Contents

Distros list statistics and data for 2023

Statistics by month

Statistics are grouped by month of the issue being reported to the private list.

Month All reports Embargoed Average Median Min Max embargo days
2023-01 16 16 43.52 6.78 1.22 307.22
2023-02 14 11 29.70 6.93 5.68 256.01
2023-03 11 11 28.85 6.83 4.07 237.20
2023-04 4 4 7.92 6.21 4.14 15.13
2023-05 12 12 7.51 7.68 2.57 13.99
2023-06 7 7 26.26 7.99 1.21 131.43
2023-07 3 3 3.97 3.11 1.87 6.93
2023-08 1 1 7.31 7.31 7.31 7.31
2023-09 12 12 9.86 9.63 1.26 20.27
2023-10 6 6 8.89 7.96 7.58 14.01
2023-11 3 3 6.94 8.02 4.78 8.02
2023-12 4 4 7.16 7.35 4.04 9.91
Total 93 90 20.96 7.03 1.21 307.22

The data for January 2023 excludes continued handling of some Linux kernel issues by the same reporter, who started reporting that group of related issues in December 2022.

Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which only occurred in February 2023) are excluded from the calculation of average, median, and minimum embargo duration above.

Formatted input data

For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.

For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.

Project Subjects/titles/links Time at distros (UTC)
… oss-security (UTC)
Elsewhere (UTC)
Embargo days Planned CRD(s)
(exact wording)
CVE(s)
Linux [vs-plain] Warning in bpf_probe_read_user
[oss-security] Linux: BPF: issues with copy_from_user_nofault()
https://lore.kernel.org/bpf/20230118051443.78988-1-alexei.starovoitov@gmail.com/
Mon Jan 02 17:33:21 2023
Sun Nov 05 22:44:05 2023
Wed Jan 18 05:14:51 2023
307.22
15.49
1/9
1/12
“tomorrow or so” after June 27
Cargo [vs-plain] CVE-2022-46176: Cargo does not check SSH host keys
[oss-security] CVE-2022-46176: Cargo does not check SSH host keys
Thu Jan 05 16:48:35 2023
Tue Jan 10 16:58:09 2023
5.01 2023-01-10 at 16:30 UTC CVE-2022-46176
libgit2 [vs-plain] CVE-2022-46176: Cargo does not check SSH host keys
Re: [oss-security] CVE-2022-46176: Cargo does not check SSH host keys
Thu Jan 05 16:48:35 2023
Sun Nov 05 23:08:43 2023
304.26 2023-01-10
X.Org libXpm [vs-plain] Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15
[oss-security] Fwd: X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15
Tue Jan 10 18:12:35 2023
Tue Jan 17 16:48:05 2023
6.94 January 17 CVE-2022-46285
CVE-2022-44617
CVE-2022-4883
git [vs-plain] Upcoming Git security fix release
[oss-security] Git 2.39.1 and friends
Tue Jan 10 23:08:20 2023
Tue Jan 17 18:11:20 2023
6.79 2023-JAN-17 at around 10am Pacific Time CVE-2022-23521
CVE-2022-41903
OpenStack [vs] Vulnerability in OpenStack Swift (CVE-2022-47950)
[oss-security] [OSSA-2023-001] Swift: Arbitrary file access through custom S3 XML entities (CVE-2022-47950)
Wed Jan 11 00:35:07 2023
Tue Jan 17 16:01:28 2023
6.64 2023-01-17, 1500UTC CVE-2022-47950
Linux [vs-plain] Netfilter vulnerability disclosure
[oss-security] CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup
https://groups.google.com/g/syzkaller/c/YRNDJBsJn_s
Wed Jan 11 01:26:07 2023
Fri Jan 13 16:16:16 2023
Wed Jan 11 14:13:59 2023
2.62
0.53
7-day embargo CVE-2023-0179
sudo [vs] …
[oss-security] CVE-2023-22809: Sudoedit can edit arbitrary files
Thu Jan 12 14:17:36 2023
Thu Jan 19 07:30:23 2023
6.72 Wednesday 18th January
15:00 UTC
CVE-2023-22809
PowerDNS Recursor [vs] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination
[oss-security] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617)
Fri Jan 13 11:17:56 2023
Fri Jan 20 12:34:24 2023
7.05 20th of January 2023 CVE-2023-22617
Linux [vs-plain] null pointer dereference in Linux kernel
[oss-security] null pointer dereference in Linux kernel
https://lore.kernel.org/netdev/Y7s%2FFofVXLwoVgWt@westworld/
Sun Jan 15 05:13:23 2023
Wed Jan 18 08:32:11 2023
Sun Jan 08 22:09:37 2023
3.14
-6.29
in a week (Jan 21st)
Tuesday, January 17
CVE-2023-0394
OpenStack [vs] Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951)
[oss-security] [OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)
Tue Jan 17 21:53:18 2023
Tue Jan 24 16:08:35 2023
6.76 2023-01-24, 1500UTC CVE-2022-47951
BIND 9 [vs] …
[oss-security] ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924)
Tue Jan 24 11:59:13 2023
Wed Jan 25 17:17:31 2023
1.22 25 January 2023 CVE-2022-3094
CVE-2022-3736
CVE-2022-3924
OpenSSL [vs-plain] Embargoed OpenSSL security issues
[oss-security] Fwd: OpenSSL Security Advisory
Wed Jan 25 12:02:11 2023
Tue Feb 07 19:29:21 2023
13.31 7th February 2023
pesign [vs-plain] pesign: Local privilege escalation on pesign systemd service
[oss-security] pesign: Local privilege escalation on pesign systemd service
Fri Jan 27 20:45:41 2023
Tue Jan 31 17:40:43 2023
3.87 Jan 31st
15 UTC
CVE-2022-3560
X.Org Server [vs-plain] Preview of X.Org Security Advisory for 2023-02-07
[oss-security] X.Org Security Advisory: Security issue in the X server
Mon Jan 30 22:33:46 2023
Tue Feb 07 01:37:48 2023
7.13 2023-02-07 at 01:00 UTC CVE-2023-0494
ZDI-CAN-19596
heimdal, samba [vs-plain] [vc] heimdal: CVE-2022-45142: signature validation failure
[oss-security] [vs] heimdal: CVE-2022-45142: signature validation failure
Tue Jan 31 13:52:38 2023
Wed Feb 08 06:50:02 2023
7.71 2023-02-08 CVE-2022-3437
less [vs-plain] less CVE-2022-46663
[oss-security] CVE-2022-46663: less -R filtering bypass
https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c
Wed Feb 01 06:35:37 2023
Tue Feb 07 19:26:58 2023
Sat Oct 08 02:25:00 2022
6.54
-116.17
Tuesday; 09:00 UTC, 2023-02-07 CVE-2022-46663
curl [vs-plain] curl: CVE-2023-23914: HSTS ignored on multiple requests (1/3)
[oss-security] curl: CVE-2023-23914: HSTS ignored on multiple requests
https://github.com/curl/curl/pull/10138
Tue Feb 07 09:36:32 2023
Wed Feb 15 07:29:04 2023
Thu Dec 22 15:14:00 2022
7.91
-46.77
Febrary 15th CVE-2023-23914
curl [vs-plain] curl: CVE-2023-23915: HSTS amnesia with –parallel (2/3)
[oss-security] curl: CVE-2023-23915: HSTS amnesia with --parallel
Tue Feb 07 09:36:35 2023
Wed Feb 15 07:29:08 2023
7.91 Febrary 15th CVE-2023-23915
curl [vs-plain] curl: CVE-2023-23916: HTTP multi-header compression denial of service (3/3)
[oss-security] curl: CVE-2023-23916: HTTP multi-header compression denial of service
Tue Feb 07 09:37:31 2023
Wed Feb 15 07:29:11 2023
7.91 Febrary 15th CVE-2023-23916
git [vs-plain] Upcoming Git security fix release
[oss-security] [Announce] Git 2.39.2 and friends
Tue Feb 07 16:47:06 2023
Tue Feb 14 18:09:06 2023
7.06 2023-FEB-14 at 10am Pacific Time CVE-2023-22490
CVE-2023-23946
Linux [vs-plain] CVE Request
[oss-security] Linux Kernel: hid: type confusions on hid report_list entry
https://lore.kernel.org/all/20230114-hid-fix-emmpty-report-list-v1-0-e4d02fad3ba5@diag.uniroma1.it/T/
Wed Feb 22 17:24:49 2023
Tue Jan 17 17:13:45 2023
Mon Jan 16 11:12:09 2023
-36.01
-37.26
CVE-2023-1073
Linux [vs-plain] CVE Request
[oss-security] Linux Kernel: hid: NULL pointer dereference in hid_betopff_play()
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3782c0d6edf658b71354a64d60aa7a296188fc90
Wed Feb 22 17:24:49 2023
Wed Jan 18 16:18:17 2023
Wed Jan 18 15:34:35 2023
-35.05
-35.08
CVE-2023-1073
Linux [vs-plain] CVE Request
[oss-security] Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill()
https://lore.kernel.org/linux-sctp/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner%40gmail.com/T/
Wed Feb 22 17:24:49 2023
Mon Jan 23 18:55:36 2023
Mon Jan 23 18:00:06 2023
-29.94
-29.98
CVE-2023-1074
Linux [vs-plain] CVE Request
[oss-security] CVE-2023-1075 - Linux Kernel: Type Confusion in tls_is_tx_ready()
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb
Wed Feb 22 17:24:49 2023
Wed Mar 01 15:48:25 2023
Tue Jan 31 05:06:08 2023
6.93
-22.51
CVE-2023-1075
Linux [vs-plain] CVE Request
[oss-security] CVE-2023-1076: Linux Kernel: Type Confusion hardcodes tuntap socket UID to root
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff
Wed Feb 22 17:24:49 2023
Wed Mar 01 15:48:17 2023
Mon Feb 06 10:16:55 2023
6.93
-16.30
CVE-2023-1076
Linux [vs-plain] CVE Request
[oss-security] CVE-2023-1077: Linux kernel: Type confusion in pick_next_rt_entity()
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7c4a5b89a0b5a57a64b601775b296abf77a9fe97
Wed Feb 22 17:24:49 2023
Wed Mar 01 15:48:27 2023
Sat Feb 11 10:18:10 2023
6.93
-11.30
CVE-2023-1077
Linux [vs-plain] CVE Request
[oss-security] CVE-2023-1078: Linux: rds_rm_zerocopy_callback() bugs
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d
Wed Feb 22 17:24:49 2023
Sun Nov 05 17:32:17 2023
Thu Feb 09 09:37:26 2023
256.01
-13.32
CVE-2023-1078
Linux [vs-plain] CVE Request
[oss-security] CVE-2023-1079: Linux Kernel: Use-After-Free in asus_kbd_backlight_set()
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4ab3a086d10eeec1424f2e8a968827a6336203df
Wed Feb 22 17:24:49 2023
Wed Mar 01 15:48:11 2023
Wed Feb 15 17:20:56 2023
6.93
-7.00
CVE-2023-1079
sudo [vs] sudo: double free with per-command chroot sudoers rules
[oss-security] sudo: double free with per-command chroot sudoers rules
https://www.sudo.ws/pipermail/sudo-announce/2023-February/000206.html
Wed Feb 22 22:12:30 2023
Tue Feb 28 14:33:57 2023
Mon Feb 27 16:16:34 2023
5.68
4.75
maybe Monday next week
Linux [vs-plain] A double free vulnerability was found in the hci_conn_cleanup function of the Bluetooth subsystem
[oss-security] CVE-2023-28464: Linux: Bluetooth: hci_conn_cleanup function has double free
https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com/
Wed Mar 08 10:06:04 2023
Tue Mar 28 11:18:01 2023
Thu Mar 09 07:49:39 2023
20.05
0.91
March 28
2023-03-28T10:05:42+00:00
CVE-2023-28464
Linux [vs-plain] Reporting a USB-accessible slab-out-of-bounds read in brcmfmac
[oss-security] A USB-accessible slab-out-of-bounds read in Linux kernel driver
https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/
Thu Mar 09 11:24:15 2023
Mon Mar 13 13:03:07 2023
Thu Mar 09 10:45:59 2023
4.07
-0.03
CVE-2023-1380
Bluez, Intel wireless devices [vs-plain] Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets
[oss-security] Bluez, Intel wireless devices: Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets
Fri Mar 10 18:08:39 2023
Thu Nov 02 22:55:03 2023
237.20
curl [vs-plain] curl: CVE-2023-27533: TELNET option IAC injection (1/6)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-27533: TELNET option IAC injection
https://github.com/curl/curl/commit/538b1e79a6e7b
Mon Mar 13 11:26:18 2023
Mon Mar 20 07:26:15 2023
Fri Mar 10 16:43:00 2023
6.83
-2.78
March 20 CVE-2023-27533
curl [vs-plain] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy (2/6)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy
https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a
Mon Mar 13 11:26:19 2023
Mon Mar 20 07:26:20 2023
Fri Mar 10 22:20:00 2023
6.83
-2.55
March 20 CVE-2023-27534
curl [vs-plain] curl: CVE-2023-27535: FTP too eager connection reuse (3/6)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-27535: FTP too eager connection reuse
https://github.com/curl/curl/commit/8f4608468b890dc
Mon Mar 13 11:27:21 2023
Mon Mar 20 07:26:22 2023
Mon Mar 13 08:07:00 2023
6.83
-0.14
March 20 CVE-2023-27535
curl [vs-plain] curl: CVE-2023-27536: GSS delegation too eager connection re-use (4/6)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-27536: GSS delegation too eager connection re-use
https://github.com/curl/curl/commit/cb49e67303dba
Mon Mar 13 11:27:20 2023
Mon Mar 20 07:26:26 2023
Fri Mar 10 22:30:00 2023
6.83
-2.54
March 20 CVE-2023-27536
curl [vs-plain] curl: CVE-2023-27537: HSTS double-free (5/6)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-27537: HSTS double-free
https://github.com/curl/curl/commit/dca4cdf071be0
Mon Mar 13 11:28:21 2023
Mon Mar 20 07:26:32 2023
Fri Mar 10 16:45:00 2023
6.83
-2.78
March 20 CVE-2023-27537
curl [vs-plain] curl: CVE-2023-27538: SSH connection too eager reuse still (6/6)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-27538: SSH connection too eager reuse still
https://github.com/curl/curl/commit/af369db4d3833272b8ed
Mon Mar 13 11:28:23 2023
Mon Mar 20 07:26:36 2023
Fri Mar 10 16:54:00 2023
6.83
-2.77
March 20 CVE-2023-27538
X.Org Server [vs-plain] Preview of X.Org Security Advisory for 2023-03-29
[oss-security] Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
https://lists.x.org/archives/xorg-announce/2023-March/003374.html
Mon Mar 20 08:03:14 2023
Wed Mar 29 12:36:06 2023
Wed Mar 29 12:15:05 2023
9.19
9.17
2023-03-29 at 12:00 UTC CVE-2023-1393
ZDI-CAN-19866
Open vSwitch [vs-plain] [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0
[oss-security] [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0
Fri Mar 31 23:06:33 2023
Thu Apr 06 19:18:23 2023
5.84 06-Apr-2023 CVE-2023-1668
Linux [vs-plain] linux-bluetooth: Arbitrary management command execution
[oss-security] CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution
Sun Apr 09 10:57:14 2023
Sun Apr 16 11:22:19 2023
7.02 April 16th CVE-2023-2002
Linux [vs-plain] OOB access in the Linux kernel's XFS subsystem
[oss-security] CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem
https://lore.kernel.org/linux-xfs/20230411233159.GH360895@frogsfrogsfrogs/
Sat Apr 15 03:27:54 2023
Wed Apr 19 06:45:22 2023
Tue Apr 11 23:32:04 2023
4.14
-3.16
CVE-2023-2124
Git [vs-plain] Upcoming Git security fix releases
[oss-security] [ANNOUNCE] Git v2.40.1 and friends
Thu Apr 20 07:29:59 2023
Tue Apr 25 17:08:44 2023
5.40 2023-APR-25 at around 10am Pacific Time CVE-2023-25652
CVE-2023-25815
CVE-2023-29007
distribution/distribution [vs-plain] Embargoed DoS in distribution/distribution: Catalog Endpoint can lead to OOM by user input
[oss-security] CVE-2023-2253: distribution/distribution: Catalog API endpoint can lead to OOM via malicious user input
Mon Apr 24 12:55:13 2023
Tue May 09 16:04:12 2023
15.13 2023-05-08 13:00 UTC
2023-05-09 15:00 UTC
CVE-2023-2253
Linux [vs-plain] Linux kernel LPE due to use-after-free in Netfilter nf_tables
[oss-security] [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c1592a89942e9678f7d9c8030efa777c0d57edab
Tue May 02 08:28:08 2023
Mon May 08 15:58:45 2023
Wed May 03 06:24:32 2023
6.31
0.91
Once the fix becomes public
Monday (May 8th)
CVE-2023-32233
Linux [vs-plain] linux >= 6.3-rc4: OOB physical memory read/write via io_uring
[oss-security] Linux kernel io_uring out-of-bounds access to physical memory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=776617db78c6d208780e7c69d4d68d1fa82913de
Tue May 02 16:28:39 2023
Mon May 08 14:34:55 2023
Wed May 03 15:00:22 2023
5.92
0.94
2023-05-08 15:00 UTC
12:00 UTC, Sunday 2023-05-07
CVE-2023-2598
OpenStack [vs] Vulnerability in OpenStack cinder, glance_store, nova, os-brick (CVE-2023-2088)
[oss-security] [OSSA-2023-003] cinder, glance_store, nova, os-brick: Unauthorized volume access through deleted volume attachments (CVE-2023-2088)
Thu May 04 00:57:23 2023
Wed May 10 17:21:16 2023
6.68 2023-05-10, 1500UTC CVE-2023-2088
OSSA-2023-003
libcap [vs-plain] pre-announcement libcap-2.69 release 2023-05-15
[oss-security] libcap-2.69 addresses 2 CVEs
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe
Mon May 08 01:41:19 2023
Mon May 15 16:00:06 2023
Mon May 15 02:10:04 2023
7.60
7.02
2023-05-15 LCAP-CR-23-01
LCAP-CR-23-02
CVE-2023-2602
CVE-2023-2603
curl [vs-plain] : curl pre-notification: CVE-2023-28319 (1/4)
[oss-security] curl: CVE-2023-28319: UAF in SSH sha256 fingerprint check
Tue May 09 12:16:16 2023
Wed May 17 06:41:12 2023
7.77 06:00 UTC on May 17th CVE-2023-28319
curl [vs-plain] : curl pre-notification: CVE-2023-28320 (2/4)
[oss-security] curl: CVE-2023-28320: siglongjmp race condition
Tue May 09 12:16:30 2023
Wed May 17 06:41:18 2023
7.77 06:00 UTC on May 17th CVE-2023-28320
curl [vs-plain] : curl pre-notification: CVE-2023-28321 (3/4)
[oss-security] curl: CVE-2023-28321: IDN wildcard match
Tue May 09 12:17:16 2023
Wed May 17 06:41:21 2023
7.77 06:00 UTC on May 17th CVE-2023-28321
curl [vs-plain] : curl pre-notification: CVE-2023-28322 (4/4)
[oss-security] curl: CVE-2023-28322: more POST-after-PUT confusion
Tue May 09 12:17:29 2023
Wed May 17 06:41:26 2023
7.77 06:00 UTC on May 17th CVE-2023-28322
cups-filters [vs-plain] CVE-2023-24805: RCE in cups-filters, beh CUPS backend
[oss-security] CVE-2023-24805: RCE in cups-filters, beh CUPS backend
Wed May 10 12:45:42 2023
Wed May 17 12:14:29 2023
6.98 May 17, 2023 CVE-2023-24805
GHSA-gpxc-v2m8-fr3x
OpenSSL [vs-plain] Embargoed OpenSSL security issue
[oss-security] OpenSSL Security Advisory
Tue May 16 14:13:29 2023
Tue May 30 13:53:09 2023
13.99 30th May 2023 CVE-2023-2650
c-ares [vs-plain] c-ares security vulns
[oss-security] c-ares multiple vulnerabilities: CVE-2023-32067, CVE-2023-31147, CVE-2023-31130, CVE-2023-31124
Fri May 19 23:08:20 2023
Mon May 22 12:53:13 2023
2.57 5/22/2023 CVE-2023-32067
CVE-2023-31124
CVE-2023-31130
CVE-2023-31147
CUPS [vs-plain] EMBARGOED CVE-2023-32324 heap buffer overflow in cupsd
[oss-security] [vs] CVE-2023-32324 heap buffer overflow in cupsd
Tue May 23 10:06:35 2023
Thu Jun 01 10:49:58 2023
9.03 June 1st 2023, 12:00 PM CET CVE-2023-32324
open-vm-tools [vs] [EMBARGOED] CVE-2023-20867
[oss-security] CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module
https://www.vmware.com/security/advisories/VMSA-2023-0013.html
Tue Jun 06 15:31:40 2023
Mon Oct 16 01:49:50 2023
Tue Jun 13 15:31:40 2023
131.43
7.00
June 13th, 2023 CVE-2023-20867
VMSA-2023-0013
cpdb-libs [vs-plain] CVE-2023-34095: Buffer overflows via scanf
[oss-security] CVE-2023-34095: cpdb-libs: Buffer overflows via scanf
Tue Jun 06 17:37:22 2023
Wed Jun 14 17:18:55 2023
7.99 June 14, 2023 CVE-2023-34095
GHSA-25j7-9gfc-f46x
libX11 [vs-plain] Embargoed X.Org Security Advisory: Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138]
[oss-security] Fwd: [ANNOUNCE] X.Org Security Advisory: Sub-object overflows in libX11
Fri Jun 09 00:16:11 2023
Thu Jun 15 16:40:01 2023
6.68 June 15, 2023 CVE-2023-3138
CUPS [vs-plain] EMBARGOED CVE-2023-34241 use-after-free in cupsdAcceptClient()
[oss-security] CVE-2023-34241: CUPS: use-after-free in cupsdAcceptClient()
Tue Jun 13 10:28:42 2023
Thu Jun 22 10:57:45 2023
9.02 June 22nd, 12:00 PM CET CVE-2023-34241
Linux [vs-plain] DirtyVMA: Privilege escalation via non-RCU-protected VMA traversal
[oss-security] StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability
Wed Jun 14 17:36:30 2023
Wed Jul 05 12:18:37 2023
20.78 June 22 or June 23
June 29, 17:30 UTC
Wednesday, July 5
CVE-2023-3269
StackRot
Linux [vs-plain] DECnet vulnerability disclosure
[oss-security] CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet
Sat Jun 17 22:58:37 2023
Sat Jun 24 16:24:01 2023
6.73 7-day embargo CVE-2023-3338
BIND 9 [vs] …
[oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-2828, CVE-2023-2911)
Tue Jun 20 12:08:48 2023
Wed Jun 21 17:14:40 2023
1.21 21 June 2023 CVE-2023-2828
CVE-2023-2911
curl [vs-plain] : curl: CVE-2023-32001: fopen race condition
[oss-security] curl: fopen race condition: CVE-2023-32001
Wed Jul 12 08:17:32 2023
Wed Jul 19 06:31:07 2023
6.93 July 19 2023 CVE-2023-32001
AMD Zen2 [vs-plain] CVE-2023-20593: A use-after-free in AMD Zen2 Processors
[oss-security] CVE-2023-20593: A use-after-free in AMD Zen2 Processors
https://lore.kernel.org/linux-firmware/20230718231959.3163407-1-john.allen@amd.com/T/#maa00a9e4b26bcdbf0370b24bdb082639ad0b8dd6
Sat Jul 22 17:42:37 2023
Mon Jul 24 14:28:36 2023
Wed Jul 19 19:18:19 2023
1.87
-2.93
current plan is Monday CVE-2023-20593
Cargo [vs-plain] CVE-2023-38497: Cargo does not respect the umask when extracting dependencies
[oss-security] CVE-2023-38497: Cargo does not respect umask when extracting packages
Mon Jul 31 09:31:14 2023
Thu Aug 03 12:06:04 2023
3.11 August 3rd, 2023 at 12pm UTC CVE-2023-38497
open-vm-tools [vs] [EMBARGOED] CVE-2023-20900
[oss-security] [Security Advisory] open-vm-tools: SAML token signature bypass vulnerability (CVE-2023-20900)
Thu Aug 24 05:43:34 2023
Thu Aug 31 13:13:52 2023
7.31 August 31st, 2023 CVE-2023-20900
VMSA-2023-0019
curl [vs-plain] : curl: CVE-2023-38039: HTTP headers eat all memory
[oss-security] CVE-2023-38039 curl: HTTP headers eat all memory
Wed Sep 06 06:24:35 2023
Wed Sep 13 06:31:38 2023
7.00 September 13 2023 CVE-2023-38039
Linux [vs-plain] integer overflow in Linux kernel leading exploitable memory access
[oss-security] [CVE-2023-42752] integer overflow in Linux kernel leading to exploitable memory access
Thu Sep 07 23:24:26 2023
Mon Sep 18 23:10:48 2023
10.99 CVE-2023-42752
Linux [vs-plain] slab-out-of-bound access in the Linux kernel
[oss-security] [CVE-2023-42753] Array Indexing error in Linux kernel
https://lore.kernel.org/netdev/20230906162525.11079-6-fw@strlen.de/raw
Thu Sep 07 23:41:13 2023
Fri Sep 22 20:18:42 2023
Wed Sep 06 16:25:55 2023
14.86
-1.30
Tentatively on Sep 21 CVE-2023-42753
cups, libppd [vs-plain] EMBARGOED CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow
[oss-security] CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow
Tue Sep 12 06:44:19 2023
Wed Sep 20 13:05:26 2023
8.26 September 20th 2023, 14:00 CET CVE-2023-4504
Linux [vs-plain] null pointer dereference in Linux kernel ipv4 stack
[oss-security] [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack
Mon Sep 18 21:47:31 2023
Mon Oct 02 20:07:33 2023
13.93 Oct 2 CVE-2023-42754
BIND 9 [vs] …
[oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236)
Tue Sep 19 06:29:56 2023
Wed Sep 20 12:40:08 2023
1.26 20 September 2023 CVE-2023-3341
CVE-2023-4236
glibc [vs] CVE-2023-4911
[oss-security] CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so
Tue Sep 19 22:19:39 2023
Tue Oct 03 17:50:56 2023
13.81 October 3, 2023, 17:00 UTC CVE-2023-4911
Linux [vs-plain] Linux kernel wild pointer access ⇐ v6.2
[oss-security] [CVE-2023-42755] Linux kernel wild pointer access <= v6.2
https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pE02BknG9qnQ@mail.gmail.com/
Sat Sep 23 02:06:51 2023
Mon Sep 25 21:26:18 2023
Fri Sep 08 00:02:06 2023
2.81
-15.09
Sep 29th
right away
CVE-2023-42755
Linux [vs-plain] Linux kernel race condition in netfilter
[oss-security] [CVE-2023-42756] Linux kernel race condition in netfilter
Sat Sep 23 02:29:21 2023
Wed Sep 27 20:50:38 2023
4.76 Sep 27th CVE-2023-42756
Linux [vs-plain] NVMe-of/TCP Security Issue Report
[oss-security] CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto`
https://lore.kernel.org/all/20231004173226.5992-1-sj@kernel.org/T/
Mon Sep 25 09:17:34 2023
Sun Oct 15 15:47:22 2023
Mon Oct 02 10:54:46 2023
20.27
7.07
aware of the 14-day maximum CVE-2023-5178
libcue [vs] CVE-2023-43641 (GHSL-2023-197)
[oss-security] CVE-2023-43641: out-of-bounds array access in libcue 2.2.1
Tue Sep 26 08:12:41 2023
Mon Oct 09 17:13:07 2023
13.38 2023-10-09T17+00:00 CVE-2023-43641
GHSL-2023-197
libX11 & libXpm [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in libX11 & libXpm
[oss-security] Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17
Tue Sep 26 17:15:59 2023
Tue Oct 03 16:32:00 2023
6.97 October 3, 2023 CVE-2023-43785
CVE-2023-43786
CVE-2023-43787
CVE-2023-43788
CVE-2023-43789
curl [vs-plain] : CVE-2023-38545 curl SOCKS5 heap buffer overflow (1/2)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-38545: SOCKS5 heap buffer overflow
Tue Oct 03 06:57:43 2023
Wed Oct 11 05:58:55 2023
7.96 October 11, around 06:00 UTC CVE-2023-38545
curl [vs-plain] : CVE-2023-38546 curl cookie injection with none file (2/2)
[oss-security] [SECURITY ADVISORY] curl: CVE-2023-38546
Tue Oct 03 06:57:52 2023
Wed Oct 11 05:59:15 2023
7.96 October 11 2023 CVE-2023-38546
OpenSSL [vs-plain] Embargoed OpenSSL security issue
[oss-security] OpenSSL Security Advisory
Tue Oct 10 14:57:08 2023
Tue Oct 24 15:14:46 2023
14.01 24th October 2023 CVE-2023-5363
GHSA-q3f8-53qj-r58x
X.Org X server [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in X.Org X server
[oss-security] FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2
https://lists.x.org/archives/xorg-announce/2023-October/003430.html
Tue Oct 17 05:13:14 2023
Wed Oct 25 11:06:15 2023
Wed Oct 25 01:53:55 2023
8.25
7.86
October 25, 2023 CVE-2023-5367
CVE-2023-5380
CVE-2023-5574
ZDI-CAN-22153
ZDI-CAN-21608
ZDI-CAN-21213
open-vm-tools [vs-plain] SAML Bypass in VMware Tools CVE-2023-34058
[oss-security] CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools
Thu Oct 19 18:43:23 2023
Fri Oct 27 08:36:14 2023
7.58 October 26th, 2023 CVE-2023-34058
open-vm-tools [vs-plain] file descriptor hijack in VMware Tools CVE-2023-34059
[oss-security] CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools
Thu Oct 19 18:43:46 2023
Fri Oct 27 08:36:17 2023
7.58 October 26th, 2023 CVE-2023-34059
Intel CPUs [vs] …
[oss-security] CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar)
Thu Nov 09 23:51:52 2023
Tue Nov 14 18:36:44 2023
4.78 November 14th, 10 am Pacific Time CVE-2023-23583
curl [vs-plain] : curl pre-notification: CVE-2023-46218 (1/2)
[oss-security] [SECURITY ADVISORY] curl: cookie mixed case PSL bypass
https://github.com/curl/curl/pull/12387
Tue Nov 28 07:04:22 2023
Wed Dec 06 07:29:18 2023
Thu Nov 23 07:16:00 2023
8.02
-4.99
07:00 UTC on December 6 CVE-2023-46218
curl [vs-plain] : curl pre-notification: CVE-2023-46219 (2/2)
[oss-security] [SECURITY ADVISORY] curl: HSTS long file name clears contents
https://github.com/curl/curl/pull/12388
Tue Nov 28 07:04:40 2023
Wed Dec 06 07:29:58 2023
Thu Nov 23 07:24:00 2023
8.02
-4.99
07:00 UTC on December 6 CVE-2023-46219
X.Org X server and Xwayland [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland
[oss-security] FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
Tue Dec 05 21:17:38 2023
Wed Dec 13 13:03:51 2023
Wed Dec 13 02:02:10 2023
7.66
7.20
December 13, 2023 00:00 UTC CVE-2023-6377
CVE-2023-6478
ZDI-CAN-22412
ZDI-CAN-22413
ZDI-CAN-22561
SSH protocol [vs] …
[oss-security] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)
https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
Mon Dec 11 15:40:29 2023
Mon Dec 18 16:47:26 2023
Tue Dec 12 20:56:36 2023
7.05
1.22
18th of December 2023 15:00 UTC CVE-2023-48795
Debian cpio [vs-plain] Security vulnerability in Debian's cpio 2.13
[oss-security] Security vulnerability in Debian's cpio 2.13
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163
Sun Dec 17 15:50:53 2023
Thu Dec 21 16:50:17 2023
Wed Dec 20 19:03:02 2023
4.04
3.13
2023-12-27
xarchiver [vs-plain] xarchiver: Path traversal with crafted cpio archives
[oss-security] xarchiver: Path traversal with crafted cpio archives
Sun Dec 17 15:50:53 2023
Wed Dec 27 13:42:05 2023
9.91 2023-12-27

Source input data

These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.