Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2025-01 | 9 | 9 | 7.71 | 7.70 | 1.12 | 14.56 |
| 2025-02 | 4 | 4 | 5.91 | 6.46 | 3.07 | 7.64 |
| 2025-03 | 7 | 7 | 8.48 | 7.03 | 2.95 | 20.16 |
| 2025-04 | 2 | 2 | 3.24 | 3.24 | 1.03 | 5.46 |
| Total | 22 | 22 | 7.22 | 7.01 | 1.03 | 20.16 |
The data for 2025-04 may be non-final.
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2025 didn't occur yet) are (will be) excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| Git | [vs-plain] Upcoming Git security fix release [oss-security] git: 2 vulnerabilities fixed | Thu Jan 09 19:01:09 2025 Tue Jan 14 18:04:02 2025 | 4.96 | January 14th, 2025 at 10am Pacific Time or soon thereafter | CVE-2024-50349 CVE-2024-52006 |
| rsync | [vs] patches for 6 vulnerabilities [oss-security] RSYNC: 6 vulnerabilities | Thu Jan 09 22:29:10 2025 Tue Jan 14 18:03:17 2025 | 4.82 | 2025-01-14 @ 19:00 UTC | CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 |
| Linux | [vs-plain] Kernel bug found in the latest upstream relegated to ocfs2 [oss-security] Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 https://lore.kernel.org/all/tencent_A3FB116603B2596D123C55CCC8DC2E6E1F07@qq.com/ | Thu Jan 23 04:05:44 2025 Thu Feb 06 17:37:28 2025 Sun Jan 19 13:49:22 2025 | 14.56 -3.59 | No later than Feb 6 | |
| BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) | Tue Jan 28 14:09:40 2025 Wed Jan 29 16:58:31 2025 | 1.12 | 29 January 2025 | CVE-2024-11187 CVE-2024-12705 |
| curl | [vs-plain] : curl pre-notification (1/3): CVE-2025-0167 [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e | Tue Jan 28 15:34:55 2025 Wed Feb 05 08:21:44 2025 Fri Jan 03 17:21:00 2025 | 7.70 -24.93 | February 5 2025 around 08:00 UTC | CVE-2025-0167 |
| curl | [vs-plain] : curl pre-notification (2/3): CVE-2025-0665 [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close https://github.com/curl/curl/commit/ff5091aa9f73802e894b1cbdf | Tue Jan 28 15:35:00 2025 Wed Feb 05 08:21:49 2025 Thu Dec 12 14:58:00 2024 | 7.70 -47.03 | February 5 2025 around 08:00 UTC | CVE-2025-0665 |
| curl | [vs-plain] : curl pre-notification (3/3): CVE-2025-0725 [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7 | Tue Jan 28 15:35:08 2025 Wed Feb 05 08:21:52 2025 Fri Jan 24 13:04:00 2025 | 7.70 -4.10 | February 5 2025 around 08:00 UTC | CVE-2025-0725 |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issues [oss-security] CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected | Tue Jan 28 19:04:37 2025 Tue Feb 11 17:01:50 2025 | 13.91 | 11th February, 2025 | CVE-2024-12797 |
| pam_pkcs11 | [vs] encrypted subject [oss-security] pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) | Thu Jan 30 17:31:26 2025 Thu Feb 06 14:55:28 2025 | 6.89 | 2025-02-06 | CVE-2025-24531 |
| OpenSSH | [vs] Qualys Security Advisory (CRD: Monday, February 17) [oss-security] MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client | Mon Feb 10 17:57:33 2025 Tue Feb 18 09:14:51 2025 | 7.64 | Monday, February 17 Tuesday, February 18 probably some time around 9AM CET | CVE-2025-26465 CVE-2025-26466 |
| GRUB | [vs] … [oss-security] GRUB CVE disclosures | Wed Feb 12 22:23:49 2025 Tue Feb 18 19:09:50 2025 | 5.87 | February 18th at 10am PST | CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125 |
| X.Org X server and Xwayland | [vs-plain] Preview of X.Org Security Advisory for 2025-02-25 [oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland | Tue Feb 18 14:32:36 2025 Tue Feb 25 15:53:17 2025 | 7.06 | 2025-02-25 at 15:00 UTC | CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601 |
| Exim | [vs] Exim CVE-2025-26794: security update 4.98 → 4.98.1 [oss-security] CVE-2025-26794: Exim: SQL injection | Tue Feb 18 19:56:45 2025 Fri Feb 21 21:36:01 2025 | 3.07 | Friday, Feb 21th, 2025, at 12:00 UTC | CVE-2025-26794 |
| Below | [vs] encrypted subject [oss-security] Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591) https://github.com/facebookincubator/below/commit/10e73a21d67baa2cd613ee92ce999cda145e1a83 | Fri Mar 07 11:22:23 2025 Wed Mar 12 11:25:45 2025 Mon Feb 24 16:00:00 2025 | 5.00 -10.81 | 2025-03-12 | CVE-2025-27591 |
| Linux | [vs-plain] CVE-2024-57882 fix does not prevent all memory corruption [oss-security] Linux kernel: CVE-2024-57882 fix did not prevent data stream corruption in the MPTCP protocol https://lore.kernel.org/all/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-1-122dbb249db3@kernel.org/ | Wed Mar 12 12:50:52 2025 Tue Apr 01 16:39:52 2025 Fri Mar 14 20:12:03 2025 | 20.16 2.31 | March 21st, 10:00 (GMT+1) Please wait for the patch to be in stable next Wednesday, April 2 | |
| Exim | [vs] … [oss-security] CVE-2025-30232: UAF in Exim 4.96 to 4.98.1 | Wed Mar 19 13:39:14 2025 Wed Mar 26 14:58:04 2025 | 7.05 | Wednesday, Mar 26th, 2025, at 14:00 UTC | CVE-2025-30232 |
| OpenVPN | [vs] … [oss-security] CVE-2025-2704 - OpenVPN 2.6.1 through 2.6.13 with possible DoS | Wed Mar 26 23:08:56 2025 Wed Apr 02 22:51:06 2025 | 6.99 | 2025-04-02 (April 2, 2025) | CVE-2025-2704 |
| giflib | [vs]The giflib open-source component has a buffer overflow vulnerability. [oss-security] CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. | Fri Mar 28 10:05:11 2025 Mon Apr 07 14:34:38 2025 | 10.19 | 2025.4.7 | CVE-2025-31344 |
| PowerDNS | [vs] EMBARGO: PowerDNS Security Advisory 2025-01 (CVE-2025-30195): A crafted zone can lead to an illegal memory access in the Recursor [oss-security] PowerDNS Recursor Security Advisory 2025-01 regarding PowerDNS Recusor 5.2.0 | Mon Mar 31 13:21:07 2025 Mon Apr 07 14:01:07 2025 | 7.03 | 7th of April 2025 (around 12:00 UTC) | CVE-2025-30195 |
| xz | [vs-plain] … [oss-security] XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) | Mon Mar 31 17:42:17 2025 Thu Apr 03 16:29:26 2025 | 2.95 | 2025-04-03 (Thursday) at 15:00 UTC | CVE-2025-31115 |
| c-ares | [vs-plain] c-ares security vuln [oss-security] CVE-2025-31498: c-ares use-after-free | Mon Apr 07 12:22:00 2025 Tue Apr 08 13:00:39 2025 | 1.03 | 4/8/2025 | CVE-2025-31498 |
| Perl | [vs-plain] Impending Perl vuln disclosure (CVE-2024-56406) [oss-security] CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes | Tue Apr 08 03:25:01 2025 Sun Apr 13 14:21:46 2025 | 5.46 | Sunday, April 13 2025, around 13:00 UTC | CVE-2024-56406 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.