Table of Contents

Distros list statistics and data for 2024

Statistics by month

Statistics are grouped by month of the issue being reported to the private list.

Month All reports Embargoed Average Median Min Max embargo days
2024-01 9 9 9.18 8.79 1.09 14.12
2024-02 6 6 2.13 1.33 0.77 6.96
2024-03 9 9 7.23 7.97 1.15 12.53
2024-04 4 3 7.83 7.45 2.03 14.00
2024-05 3 3 4.05 5.05 1.07 6.04
2024-06 6 6 7.84 9.31 1.53 12.49
2024-07 5 5 5.08 6.84 0.90 8.37
2024-08 2 2 11.15 11.15 7.93 14.37
2024-09 5 5 6.22 7.20 0.44 9.15
2024-10 3 3 6.97 7.37 5.63 7.90
Total 52 51 6.72 7.20 0.44 14.37

Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2024 so far only occurred once) are excluded from the calculation of average, median, and minimum embargo duration above.

Formatted input data

For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.

For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.

Project Subjects/titles/links Time at distros (UTC)
… oss-security (UTC)
Elsewhere (UTC)
Embargo days Planned CRD(s)
(exact wording)
CVE(s)
Mock [vs-plain] Mock: Privilege escalation for users that can access mock configuration
[oss-security] CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration
Mon Jan 08 20:42:02 2024
Tue Jan 16 14:37:14 2024
7.75 January 16th 2024 at 1 PM UTC CVE-2023-6395
Mock, Snap Re: [vs-plain] Mock: Privilege escalation for users that can access mock configuration
[oss-security] Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host
Mon Jan 08 21:24:02 2024
Tue Jan 16 20:35:56 2024
7.97 January 16
X.Org X server and Xwayland [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland
[oss-security] Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4
https://lists.x.org/archives/xorg-announce/2024-January/003444.html
Tue Jan 09 07:12:50 2024
Thu Jan 18 09:21:40 2024
Tue Jan 16 14:24:36 2024
9.09
7.30
January 16, 2024 00:00 UTC CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0409
CVE-2024-0408
Linux PAM pam_namespace [vs] encrypted subject
[oss-security] pam: pam_namespace misses O_DIRECTORY flag in `protect_dir()` (CVE-2024-22365)
https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0
Tue Jan 09 14:49:28 2024
Thu Jan 18 09:48:33 2024
Wed Jan 17 15:17:00 2024
8.79
8.02
2024-01-17 CVE-2024-22365
glibc [vs] CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
[oss-security] CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()
Tue Jan 16 15:39:22 2024
Tue Jan 30 18:29:25 2024
14.12 Tuesday, January 30, 2024, 18:00 UTC CVE-2023-6246
CVE-2023-6779
CVE-2023-6780
glibc [vs] Second advisory
[oss-security] Out-of-bounds read & write in the glibc's qsort()
Tue Jan 16 16:02:18 2024
Tue Jan 30 18:37:31 2024
14.11 Tuesday, January 30, 2024, 18:00 UTC
coreutils [vs] …
[oss-security] GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability
https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9
Wed Jan 17 07:18:25 2024
Thu Jan 18 09:22:16 2024
Wed Jan 17 20:19:00 2024
1.09
0.54
CVE-2024-0684
curl [vs-plain] : curl pre-notification: CVE-2024-0853: OCSP verification bypass with TLS session reuse
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-0853 : OCSP verification bypass with TLS session reuse
https://github.com/curl/curl/commit/c28e9478cb2548848ec
Wed Jan 24 09:26:59 2024
Wed Jan 31 07:10:04 2024
Tue Jan 23 07:26:00 2024
6.90
-1.08
January 31 2024 around 07:00 UTC CVE-2024-0853
grub2-set-bootflag [vs] grub-set-bootflag
[oss-security] CVE-2024-1048: grub2-set-bootflag may be abused to fill up /boot, bypass RLIMIT_NPROC
Wed Jan 24 22:07:37 2024
Tue Feb 06 17:01:28 2024
12.79 January 31
Feb 6th
CVE-2024-1048
Open vSwitch [vs-plain] [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload.
[oss-security] [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload.
Thu Feb 01 21:07:08 2024
Thu Feb 08 20:13:41 2024
6.96 08-Feb-2024 CVE-2023-3966
Unbound [vs] …
[oss-security] Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
Mon Feb 12 08:50:19 2024
Tue Feb 13 14:23:55 2024
1.23 “not before 12:00 UTC” on 13 February 2024 CVE-2023-50387
CVE-2023-50868
PowerDNS Recursor [vs-plain] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
Re: [oss-security] Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities
https://github.com/PowerDNS/pdns/pull/13781
Mon Feb 12 11:31:30 2024
Tue Feb 13 21:49:40 2024
Tue Feb 13 12:01:00 2024
1.43
1.02
13th of February 2024 CVE-2023-50387
CVE-2023-50868
BIND 9 [vs] …
[oss-security] ISC has disclosed six vulnerabilities in BIND 9 (CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868)
Mon Feb 12 15:34:41 2024
Tue Feb 13 14:23:37 2024
0.95 13 February 2024 CVE-2023-4408
CVE-2023-5517
CVE-2023-5679
CVE-2023-6516
CVE-2023-50387
CVE-2023-50868
EDK2 based Virtual Machine firmware [vs-plain] Secure Boot bypass in EDK2 based Virtual Machine firmware
[oss-security] Secure Boot bypass in EDK2 based Virtual Machine firmware
Tue Feb 13 03:44:41 2024
Wed Feb 14 14:48:15 2024
1.46 February 14th 2024 at 13:00 UTC+0 CVE-2023-48733
CVE-2023-49721
c-ares [vs-plain] c-ares security vuln
[oss-security] c-ares CVE-2024-25629
Thu Feb 22 18:12:49 2024
Fri Feb 23 12:40:51 2024
0.77 2/23/2024 CVE-2024-25629
Open Virtual Network [vs-plain] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets.
[oss-security] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets.
Tue Mar 05 16:01:37 2024
Tue Mar 12 14:13:02 2024
6.92 12-Mar-2024 CVE-2024-2182
curl [vs-plain] : curl pre-notification: CVE-2024-2004: Usage of disabled protocol
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol
Tue Mar 19 07:38:44 2024
Wed Mar 27 06:53:23 2024
7.97 March 27 CVE-2024-2004
curl [vs-plain] : curl pre-notification: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL
Tue Mar 19 07:38:49 2024
Wed Mar 27 06:53:29 2024
7.97 March 27 CVE-2024-2379
curl [vs-plain] : curl pre-notification: CVE-2024-2398: HTTP/2 push headers memory-leak
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak
Tue Mar 19 07:38:56 2024
Wed Mar 27 06:53:34 2024
7.97 March 27 CVE-2024-2398
curl [vs-plain] : curl pre-notification: CVE-2024-2466: TLS certificate check bypass with mbedTLS
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS
Tue Mar 19 07:39:03 2024
Wed Mar 27 06:53:36 2024
7.97 March 27 CVE-2024-2466
util-linux [vs-plain] ANSI Escape sequence injection in wall (CVE-2024-28085)
[oss-security] CVE-2024-28085: Escape sequence injection in util-linux wall
Wed Mar 20 18:40:50 2024
Wed Mar 27 15:11:25 2024
6.85 March 27
xz [vs] Easter Eggs
[oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise
Thu Mar 28 12:23:26 2024
Fri Mar 29 16:03:34 2024
1.15 tomorrow CVE-2024-3094
X.Org X server, Xwayland [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in X servers
[oss-security] Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
Fri Mar 29 01:29:54 2024
Wed Apr 03 18:47:44 2024
Tue Mar 12 20:38:02 2024
5.72
-16.20
April 3, 2024 CVE-2024-31080
CVE-2024-31081
CVE-2024-31082
CVE-2024-31083
Linux [vs-plain] Skbuff null ptr derefence 0day potential LPE
[oss-security] CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660
Fri Mar 29 10:14:05 2024
Wed Apr 10 22:51:45 2024
Sat Jan 20 21:50:04 2024
12.53
-68.52
CVE-2024-1086
glibc [vs] …
[oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
Wed Apr 03 17:43:55 2024
Wed Apr 17 17:43:39 2024
14.00 April 17th CVE-2024-2961
PuTTY [vs] CVE-2024-31497
[oss-security] CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client
Mon Apr 08 08:58:06 2024
Mon Apr 15 19:43:58 2024
7.45 15.04.2024 19:00 UTC CVE-2024-31497
Linux [vs-plain] Zero day local root exploit with Ubuntu 22.04 HWE / Debian 12 and possible Fedora
[oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI?
Thu Apr 11 21:10:42 2024
Wed Apr 10 19:57:32 2024
-1.05
PowerDNS [vs-plain] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
[oss-security] PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
Mon Apr 22 10:42:29 2024
Wed Apr 24 11:29:14 2024
2.03 24th of April 2024
We aim for 11:00 UTC
CVE-2024-25583
aiohttp [vs] CVE-2024-30251
[oss-security] CVE-2024-30251: DoS in aiohttp
https://github.com/aio-libs/aiohttp/pull/8280
Wed May 01 12:35:21 2024
Thu May 02 14:09:20 2024
Mon Apr 01 13:55:00 2024
1.07
-29.94
a 1 day embargo CVE-2024-30251
PowerDNS DNSdist [vs] …
[oss-security] PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist
Tue May 07 09:18:23 2024
Mon May 13 10:18:09 2024
6.04 13th of May 2024
expect to release at 10:00 UTC
CVE-2024-25581
Git [vs-plain] Upcoming Git security fix release
[oss-security] git: 5 vulnerabilities fixed
Thu May 09 18:29:53 2024
Tue May 14 19:34:50 2024
5.05 May 14th, 2024 at 10am Pacific Time or soon thereafter CVE-2024-32002
CVE-2024-32004
CVE-2024-32020
CVE-2024-32021
CVE-2024-32465
CUPS [vs-plain] EMBARGOED CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
[oss-security] CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
Mon Jun 03 18:44:21 2024
Tue Jun 11 14:10:50 2024
7.81 June 11th 14:00 UTC CVE-2024-35235
OpenSSH [vs] Qualys Security Advisory (CRD: Monday, July 1)
[oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems
Thu Jun 20 13:27:07 2024
Mon Jul 01 08:40:29 2024
10.80 Monday, July 1
Something like 08:00UTC
CVE-2024-6387
OpenSSH Re: [vs] Qualys Security Advisory (CRD: Monday, July 1)
Re: [oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems
Wed Jun 26 04:32:49 2024
Mon Jul 08 16:21:30 2024
12.49 Monday, July 8 CVE-2024-6409
Emacs Org mode [vs-plain] Arbitrary shell command evaluation in Org mode (GNU Emacs)
[oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs)
Thu Jun 20 15:11:50 2024
Sun Jun 23 09:04:55 2024
2.75 Jun 21, 4pm UTC
postpone the releases to tomorrow (Saturday, Jun 22), same time (4pm UTC)
OpenStack [vs] Vulnerability in OpenStack Cinder, Glance and Nova (CVE-2024-32498)
[oss-security] [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)
Thu Jun 20 23:45:22 2024
Tue Jul 02 15:01:32 2024
11.64 2024-06-27, 1500UTC
15:00 UTC Tuesday 2024-07-02
CVE-2024-32498
Linux [vs-plain] stack-out-of-bounds Read in profile_pc
[oss-security] Linux non-security almost non-issue: stack-out-of-bounds Read in profile_pc
https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/
Fri Jun 28 08:05:23 2024
Sat Jun 29 20:50:28 2024
Mon Mar 25 01:17:35 2024
1.53
-95.28
curl [vs-plain] : curl: CVE-2024-6197: freeing stack buffer in utf8asn1str
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str
https://github.com/curl/curl/commit/3a537a4db9e65e545
Mon Jul 15 21:37:52 2024
Wed Jul 24 06:34:48 2024
Fri Jun 28 12:45:00 2024
8.37
-17.37
July 24 CVE-2024-6197
BIND 9 [vs] Four BIND 9 vulnerabilities will be announced on 17 July 2024
[oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076)
Tue Jul 16 11:25:45 2024
Tue Jul 23 14:56:25 2024
7.15 17 July 2024
2024-07-23 (next Tuesday)
CVE-2024-0760
CVE-2024-1737
CVE-2024-1975
CVE-2024-4076
OpenStack Nova [vs] Vulnerability in OpenStack Nova (CVE-2024-40767)
[oss-security] [OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767)
Tue Jul 16 18:46:20 2024
Tue Jul 23 15:00:30 2024
6.84 2024-07-23, 1500UTC CVE-2024-40767
Linux [vs] linux kernel: virtio-net host dos
[oss-security] inux kernel: virtio-net host dos
Mon Jul 22 13:35:56 2024
Wed Jul 24 17:24:03 2024
2.16 2024-07-24 17:00 UTC CVE-2024-41090
CVE-2024-41091
curl [vs-plain] : curl: CVE-2024-7264: ASN.1 date parser overread
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread
Tue Jul 30 09:41:07 2024
Wed Jul 31 07:19:57 2024
0.90 July 31st CVE-2024-7264
OpenSSL [vs-plain] Embargoed OpenSSL security issue
[oss-security] CVE-2024-6119: OpenSSL: Possible denial of service in X.509 name checks
Tue Aug 20 07:18:05 2024
Tue Sep 03 16:15:38 2024
14.37 3rd September 2024 CVE-2024-6119
OpenStack Ironic [vs] Vulnerability in OpenStack Ironic (CVE-2024-44082)
[oss-security] [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082)
Tue Aug 27 19:10:17 2024
Wed Sep 04 17:30:24 2024
7.93 Wednesday, 2024-09-04, 1600UTC CVE-2024-44082
Linux [vs-plain] Bug report: Memory leak in opal_event_init
[oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init()
Mon Sep 02 02:16:48 2024
Mon Sep 02 12:53:53 2024
0.44
curl [vs-plain] : curl prenotify CVE-2024-8096: OCSP stapling bypass
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS
https://github.com/curl/curl/commit/aeb1a281cab13c7ba
Tue Sep 03 07:09:01 2024
Wed Sep 11 05:47:44 2024
Thu Aug 22 09:11:00 2024
7.94
-11.92
September 11 CVE-2024-8096
OpenStack Ironic [vs] …
[oss-security] OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
Thu Sep 26 16:39:33 2024
Sat Oct 05 20:14:57 2024
9.15 2024-10-03, 1500UTC CVE-2024-47211
PowerDNS [vs-plain] PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
[oss-security] PowerDNS Security Advisory 2024-04
Fri Sep 27 07:17:06 2024
Thu Oct 03 16:07:56 2024
6.37 3rd of October 2024 around 12:00 UTC CVE-2024-25590
oath-toolkit [vs] Local root exploit in a PAM module
[oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so
Fri Sep 27 10:18:19 2024
Fri Oct 04 15:00:06 2024
7.20 2024-10-04 11:00 AM GMT+2 CVE-2024-47191
X.Org X server and Xwayland [vs-plain] Embargoed X.Org Security Advisory: Issue in X server and Xwayland
[oss-security] CVE-2024-9632: X.Org X server and Xwayland: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap
Tue Oct 22 07:47:30 2024
Tue Oct 29 16:40:04 2024
7.37 October 29, 2024 15:00 UTC CVE-2024-9632
curl [vs-plain] : curl pre-notification: CVE-2024-9681
[oss-security] [SECURITY ADVISTORY] curl: CVE-2024-9681 HSTS subdomain overwrites parent cache entry
https://github.com/curl/curl/commit/a94973805df96269bf
Tue Oct 29 09:53:36 2024
Wed Nov 06 07:25:14 2024
Wed Oct 09 11:48:00 2024
7.90
-19.92
November 6 2024 around 06:00 UTC CVE-2024-9681
Unix shells [vs-plain] shell expansion bug
[oss-security] shell wildcard expansion (un)safety
Thu Oct 31 13:00:59 2024
Wed Nov 06 04:12:33 2024
5.63

Source input data

These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.