Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2023-01 | 16 | 16 | 43.52 | 6.78 | 1.22 | 307.22 |
| 2023-02 | 14 | 11 | 29.70 | 6.93 | 5.68 | 256.01 |
| 2023-03 | 11 | 11 | 28.85 | 6.83 | 4.07 | 237.20 |
| 2023-04 | 4 | 4 | 7.92 | 6.21 | 4.14 | 15.13 |
| 2023-05 | 12 | 12 | 7.51 | 7.68 | 2.57 | 13.99 |
| 2023-06 | 7 | 7 | 26.26 | 7.99 | 1.21 | 131.43 |
| 2023-07 | 3 | 3 | 3.97 | 3.11 | 1.87 | 6.93 |
| 2023-08 | 1 | 1 | 7.31 | 7.31 | 7.31 | 7.31 |
| 2023-09 | 12 | 12 | 9.86 | 9.63 | 1.26 | 20.27 |
| 2023-10 | 6 | 6 | 8.89 | 7.96 | 7.58 | 14.01 |
| 2023-11 | 3 | 3 | 6.94 | 8.02 | 4.78 | 8.02 |
| 2023-12 | 4 | 4 | 7.16 | 7.35 | 4.04 | 9.91 |
| Total | 93 | 90 | 20.96 | 7.03 | 1.21 | 307.22 |
The data for January 2023 excludes continued handling of some Linux kernel issues by the same reporter, who started reporting that group of related issues in December 2022.
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which only occurred in February 2023) are excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| Linux | [vs-plain] Warning in bpf_probe_read_user [oss-security] Linux: BPF: issues with copy_from_user_nofault() https://lore.kernel.org/bpf/20230118051443.78988-1-alexei.starovoitov@gmail.com/ | Mon Jan 02 17:33:21 2023 Sun Nov 05 22:44:05 2023 Wed Jan 18 05:14:51 2023 | 307.22 15.49 | 1/9 1/12 “tomorrow or so” after June 27 | |
| Cargo | [vs-plain] CVE-2022-46176: Cargo does not check SSH host keys [oss-security] CVE-2022-46176: Cargo does not check SSH host keys | Thu Jan 05 16:48:35 2023 Tue Jan 10 16:58:09 2023 | 5.01 | 2023-01-10 at 16:30 UTC | CVE-2022-46176 |
| libgit2 | [vs-plain] CVE-2022-46176: Cargo does not check SSH host keys Re: [oss-security] CVE-2022-46176: Cargo does not check SSH host keys | Thu Jan 05 16:48:35 2023 Sun Nov 05 23:08:43 2023 | 304.26 | 2023-01-10 | |
| X.Org libXpm | [vs-plain] Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 [oss-security] Fwd: X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 | Tue Jan 10 18:12:35 2023 Tue Jan 17 16:48:05 2023 | 6.94 | January 17 | CVE-2022-46285 CVE-2022-44617 CVE-2022-4883 |
| git | [vs-plain] Upcoming Git security fix release [oss-security] Git 2.39.1 and friends | Tue Jan 10 23:08:20 2023 Tue Jan 17 18:11:20 2023 | 6.79 | 2023-JAN-17 at around 10am Pacific Time | CVE-2022-23521 CVE-2022-41903 |
| OpenStack | [vs] Vulnerability in OpenStack Swift (CVE-2022-47950) [oss-security] [OSSA-2023-001] Swift: Arbitrary file access through custom S3 XML entities (CVE-2022-47950) | Wed Jan 11 00:35:07 2023 Tue Jan 17 16:01:28 2023 | 6.64 | 2023-01-17, 1500UTC | CVE-2022-47950 |
| Linux | [vs-plain] Netfilter vulnerability disclosure [oss-security] CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup https://groups.google.com/g/syzkaller/c/YRNDJBsJn_s | Wed Jan 11 01:26:07 2023 Fri Jan 13 16:16:16 2023 Wed Jan 11 14:13:59 2023 | 2.62 0.53 | 7-day embargo | CVE-2023-0179 |
| sudo | [vs] … [oss-security] CVE-2023-22809: Sudoedit can edit arbitrary files | Thu Jan 12 14:17:36 2023 Thu Jan 19 07:30:23 2023 | 6.72 | Wednesday 18th January 15:00 UTC | CVE-2023-22809 |
| PowerDNS Recursor | [vs] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination [oss-security] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617) | Fri Jan 13 11:17:56 2023 Fri Jan 20 12:34:24 2023 | 7.05 | 20th of January 2023 | CVE-2023-22617 |
| Linux | [vs-plain] null pointer dereference in Linux kernel [oss-security] null pointer dereference in Linux kernel https://lore.kernel.org/netdev/Y7s%2FFofVXLwoVgWt@westworld/ | Sun Jan 15 05:13:23 2023 Wed Jan 18 08:32:11 2023 Sun Jan 08 22:09:37 2023 | 3.14 -6.29 | in a week (Jan 21st) Tuesday, January 17 | CVE-2023-0394 |
| OpenStack | [vs] Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951) [oss-security] [OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951) | Tue Jan 17 21:53:18 2023 Tue Jan 24 16:08:35 2023 | 6.76 | 2023-01-24, 1500UTC | CVE-2022-47951 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) | Tue Jan 24 11:59:13 2023 Wed Jan 25 17:17:31 2023 | 1.22 | 25 January 2023 | CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issues [oss-security] Fwd: OpenSSL Security Advisory | Wed Jan 25 12:02:11 2023 Tue Feb 07 19:29:21 2023 | 13.31 | 7th February 2023 | |
| pesign | [vs-plain] pesign: Local privilege escalation on pesign systemd service [oss-security] pesign: Local privilege escalation on pesign systemd service | Fri Jan 27 20:45:41 2023 Tue Jan 31 17:40:43 2023 | 3.87 | Jan 31st 15 UTC | CVE-2022-3560 |
| X.Org Server | [vs-plain] Preview of X.Org Security Advisory for 2023-02-07 [oss-security] X.Org Security Advisory: Security issue in the X server | Mon Jan 30 22:33:46 2023 Tue Feb 07 01:37:48 2023 | 7.13 | 2023-02-07 at 01:00 UTC | CVE-2023-0494 ZDI-CAN-19596 |
| heimdal, samba | [vs-plain] [vc] heimdal: CVE-2022-45142: signature validation failure [oss-security] [vs] heimdal: CVE-2022-45142: signature validation failure | Tue Jan 31 13:52:38 2023 Wed Feb 08 06:50:02 2023 | 7.71 | 2023-02-08 | CVE-2022-3437 |
| less | [vs-plain] less CVE-2022-46663 [oss-security] CVE-2022-46663: less -R filtering bypass https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c | Wed Feb 01 06:35:37 2023 Tue Feb 07 19:26:58 2023 Sat Oct 08 02:25:00 2022 | 6.54 -116.17 | Tuesday; 09:00 UTC, 2023-02-07 | CVE-2022-46663 |
| curl | [vs-plain] curl: CVE-2023-23914: HSTS ignored on multiple requests (1/3) [oss-security] curl: CVE-2023-23914: HSTS ignored on multiple requests https://github.com/curl/curl/pull/10138 | Tue Feb 07 09:36:32 2023 Wed Feb 15 07:29:04 2023 Thu Dec 22 15:14:00 2022 | 7.91 -46.77 | Febrary 15th | CVE-2023-23914 |
| curl | [vs-plain] curl: CVE-2023-23915: HSTS amnesia with –parallel (2/3) [oss-security] curl: CVE-2023-23915: HSTS amnesia with --parallel | Tue Feb 07 09:36:35 2023 Wed Feb 15 07:29:08 2023 | 7.91 | Febrary 15th | CVE-2023-23915 |
| curl | [vs-plain] curl: CVE-2023-23916: HTTP multi-header compression denial of service (3/3) [oss-security] curl: CVE-2023-23916: HTTP multi-header compression denial of service | Tue Feb 07 09:37:31 2023 Wed Feb 15 07:29:11 2023 | 7.91 | Febrary 15th | CVE-2023-23916 |
| git | [vs-plain] Upcoming Git security fix release [oss-security] [Announce] Git 2.39.2 and friends | Tue Feb 07 16:47:06 2023 Tue Feb 14 18:09:06 2023 | 7.06 | 2023-FEB-14 at 10am Pacific Time | CVE-2023-22490 CVE-2023-23946 |
| Linux | [vs-plain] CVE Request [oss-security] Linux Kernel: hid: type confusions on hid report_list entry https://lore.kernel.org/all/20230114-hid-fix-emmpty-report-list-v1-0-e4d02fad3ba5@diag.uniroma1.it/T/ | Wed Feb 22 17:24:49 2023 Tue Jan 17 17:13:45 2023 Mon Jan 16 11:12:09 2023 | -36.01 -37.26 | CVE-2023-1073 | |
| Linux | [vs-plain] CVE Request [oss-security] Linux Kernel: hid: NULL pointer dereference in hid_betopff_play() https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3782c0d6edf658b71354a64d60aa7a296188fc90 | Wed Feb 22 17:24:49 2023 Wed Jan 18 16:18:17 2023 Wed Jan 18 15:34:35 2023 | -35.05 -35.08 | CVE-2023-1073 | |
| Linux | [vs-plain] CVE Request [oss-security] Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill() https://lore.kernel.org/linux-sctp/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner%40gmail.com/T/ | Wed Feb 22 17:24:49 2023 Mon Jan 23 18:55:36 2023 Mon Jan 23 18:00:06 2023 | -29.94 -29.98 | CVE-2023-1074 | |
| Linux | [vs-plain] CVE Request [oss-security] CVE-2023-1075 - Linux Kernel: Type Confusion in tls_is_tx_ready() https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb | Wed Feb 22 17:24:49 2023 Wed Mar 01 15:48:25 2023 Tue Jan 31 05:06:08 2023 | 6.93 -22.51 | CVE-2023-1075 | |
| Linux | [vs-plain] CVE Request [oss-security] CVE-2023-1076: Linux Kernel: Type Confusion hardcodes tuntap socket UID to root https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff | Wed Feb 22 17:24:49 2023 Wed Mar 01 15:48:17 2023 Mon Feb 06 10:16:55 2023 | 6.93 -16.30 | CVE-2023-1076 | |
| Linux | [vs-plain] CVE Request [oss-security] CVE-2023-1077: Linux kernel: Type confusion in pick_next_rt_entity() https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7c4a5b89a0b5a57a64b601775b296abf77a9fe97 | Wed Feb 22 17:24:49 2023 Wed Mar 01 15:48:27 2023 Sat Feb 11 10:18:10 2023 | 6.93 -11.30 | CVE-2023-1077 | |
| Linux | [vs-plain] CVE Request [oss-security] CVE-2023-1078: Linux: rds_rm_zerocopy_callback() bugs https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d | Wed Feb 22 17:24:49 2023 Sun Nov 05 17:32:17 2023 Thu Feb 09 09:37:26 2023 | 256.01 -13.32 | CVE-2023-1078 | |
| Linux | [vs-plain] CVE Request [oss-security] CVE-2023-1079: Linux Kernel: Use-After-Free in asus_kbd_backlight_set() https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4ab3a086d10eeec1424f2e8a968827a6336203df | Wed Feb 22 17:24:49 2023 Wed Mar 01 15:48:11 2023 Wed Feb 15 17:20:56 2023 | 6.93 -7.00 | CVE-2023-1079 | |
| sudo | [vs] sudo: double free with per-command chroot sudoers rules [oss-security] sudo: double free with per-command chroot sudoers rules https://www.sudo.ws/pipermail/sudo-announce/2023-February/000206.html | Wed Feb 22 22:12:30 2023 Tue Feb 28 14:33:57 2023 Mon Feb 27 16:16:34 2023 | 5.68 4.75 | maybe Monday next week | |
| Linux | [vs-plain] A double free vulnerability was found in the hci_conn_cleanup function of the Bluetooth subsystem [oss-security] CVE-2023-28464: Linux: Bluetooth: hci_conn_cleanup function has double free https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com/ | Wed Mar 08 10:06:04 2023 Tue Mar 28 11:18:01 2023 Thu Mar 09 07:49:39 2023 | 20.05 0.91 | March 28 2023-03-28T10:05:42+00:00 | CVE-2023-28464 |
| Linux | [vs-plain] Reporting a USB-accessible slab-out-of-bounds read in brcmfmac [oss-security] A USB-accessible slab-out-of-bounds read in Linux kernel driver https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/ | Thu Mar 09 11:24:15 2023 Mon Mar 13 13:03:07 2023 Thu Mar 09 10:45:59 2023 | 4.07 -0.03 | CVE-2023-1380 | |
| Bluez, Intel wireless devices | [vs-plain] Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets [oss-security] Bluez, Intel wireless devices: Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets | Fri Mar 10 18:08:39 2023 Thu Nov 02 22:55:03 2023 | 237.20 | ||
| curl | [vs-plain] curl: CVE-2023-27533: TELNET option IAC injection (1/6) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-27533: TELNET option IAC injection https://github.com/curl/curl/commit/538b1e79a6e7b | Mon Mar 13 11:26:18 2023 Mon Mar 20 07:26:15 2023 Fri Mar 10 16:43:00 2023 | 6.83 -2.78 | March 20 | CVE-2023-27533 |
| curl | [vs-plain] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy (2/6) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-27534: SFTP path ~ resolving discrepancy https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a | Mon Mar 13 11:26:19 2023 Mon Mar 20 07:26:20 2023 Fri Mar 10 22:20:00 2023 | 6.83 -2.55 | March 20 | CVE-2023-27534 |
| curl | [vs-plain] curl: CVE-2023-27535: FTP too eager connection reuse (3/6) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-27535: FTP too eager connection reuse https://github.com/curl/curl/commit/8f4608468b890dc | Mon Mar 13 11:27:21 2023 Mon Mar 20 07:26:22 2023 Mon Mar 13 08:07:00 2023 | 6.83 -0.14 | March 20 | CVE-2023-27535 |
| curl | [vs-plain] curl: CVE-2023-27536: GSS delegation too eager connection re-use (4/6) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-27536: GSS delegation too eager connection re-use https://github.com/curl/curl/commit/cb49e67303dba | Mon Mar 13 11:27:20 2023 Mon Mar 20 07:26:26 2023 Fri Mar 10 22:30:00 2023 | 6.83 -2.54 | March 20 | CVE-2023-27536 |
| curl | [vs-plain] curl: CVE-2023-27537: HSTS double-free (5/6) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-27537: HSTS double-free https://github.com/curl/curl/commit/dca4cdf071be0 | Mon Mar 13 11:28:21 2023 Mon Mar 20 07:26:32 2023 Fri Mar 10 16:45:00 2023 | 6.83 -2.78 | March 20 | CVE-2023-27537 |
| curl | [vs-plain] curl: CVE-2023-27538: SSH connection too eager reuse still (6/6) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-27538: SSH connection too eager reuse still https://github.com/curl/curl/commit/af369db4d3833272b8ed | Mon Mar 13 11:28:23 2023 Mon Mar 20 07:26:36 2023 Fri Mar 10 16:54:00 2023 | 6.83 -2.77 | March 20 | CVE-2023-27538 |
| X.Org Server | [vs-plain] Preview of X.Org Security Advisory for 2023-03-29 [oss-security] Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free https://lists.x.org/archives/xorg-announce/2023-March/003374.html | Mon Mar 20 08:03:14 2023 Wed Mar 29 12:36:06 2023 Wed Mar 29 12:15:05 2023 | 9.19 9.17 | 2023-03-29 at 12:00 UTC | CVE-2023-1393 ZDI-CAN-19866 |
| Open vSwitch | [vs-plain] [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0 [oss-security] [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0 | Fri Mar 31 23:06:33 2023 Thu Apr 06 19:18:23 2023 | 5.84 | 06-Apr-2023 | CVE-2023-1668 |
| Linux | [vs-plain] linux-bluetooth: Arbitrary management command execution [oss-security] CVE-2023-2002: Linux Bluetooth: Unauthorized management command execution | Sun Apr 09 10:57:14 2023 Sun Apr 16 11:22:19 2023 | 7.02 | April 16th | CVE-2023-2002 |
| Linux | [vs-plain] OOB access in the Linux kernel's XFS subsystem [oss-security] CVE-2023-2124: OOB access in the Linux kernel's XFS subsystem https://lore.kernel.org/linux-xfs/20230411233159.GH360895@frogsfrogsfrogs/ | Sat Apr 15 03:27:54 2023 Wed Apr 19 06:45:22 2023 Tue Apr 11 23:32:04 2023 | 4.14 -3.16 | CVE-2023-2124 | |
| Git | [vs-plain] Upcoming Git security fix releases [oss-security] [ANNOUNCE] Git v2.40.1 and friends | Thu Apr 20 07:29:59 2023 Tue Apr 25 17:08:44 2023 | 5.40 | 2023-APR-25 at around 10am Pacific Time | CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 |
| distribution/distribution | [vs-plain] Embargoed DoS in distribution/distribution: Catalog Endpoint can lead to OOM by user input [oss-security] CVE-2023-2253: distribution/distribution: Catalog API endpoint can lead to OOM via malicious user input | Mon Apr 24 12:55:13 2023 Tue May 09 16:04:12 2023 | 15.13 | 2023-05-08 13:00 UTC 2023-05-09 15:00 UTC | CVE-2023-2253 |
| Linux | [vs-plain] Linux kernel LPE due to use-after-free in Netfilter nf_tables [oss-security] [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c1592a89942e9678f7d9c8030efa777c0d57edab | Tue May 02 08:28:08 2023 Mon May 08 15:58:45 2023 Wed May 03 06:24:32 2023 | 6.31 0.91 | Once the fix becomes public Monday (May 8th) | CVE-2023-32233 |
| Linux | [vs-plain] linux >= 6.3-rc4: OOB physical memory read/write via io_uring [oss-security] Linux kernel io_uring out-of-bounds access to physical memory https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=776617db78c6d208780e7c69d4d68d1fa82913de | Tue May 02 16:28:39 2023 Mon May 08 14:34:55 2023 Wed May 03 15:00:22 2023 | 5.92 0.94 | 2023-05-08 15:00 UTC 12:00 UTC, Sunday 2023-05-07 | CVE-2023-2598 |
| OpenStack | [vs] Vulnerability in OpenStack cinder, glance_store, nova, os-brick (CVE-2023-2088) [oss-security] [OSSA-2023-003] cinder, glance_store, nova, os-brick: Unauthorized volume access through deleted volume attachments (CVE-2023-2088) | Thu May 04 00:57:23 2023 Wed May 10 17:21:16 2023 | 6.68 | 2023-05-10, 1500UTC | CVE-2023-2088 OSSA-2023-003 |
| libcap | [vs-plain] pre-announcement libcap-2.69 release 2023-05-15 [oss-security] libcap-2.69 addresses 2 CVEs https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe | Mon May 08 01:41:19 2023 Mon May 15 16:00:06 2023 Mon May 15 02:10:04 2023 | 7.60 7.02 | 2023-05-15 | LCAP-CR-23-01 LCAP-CR-23-02 CVE-2023-2602 CVE-2023-2603 |
| curl | [vs-plain] : curl pre-notification: CVE-2023-28319 (1/4) [oss-security] curl: CVE-2023-28319: UAF in SSH sha256 fingerprint check | Tue May 09 12:16:16 2023 Wed May 17 06:41:12 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28319 |
| curl | [vs-plain] : curl pre-notification: CVE-2023-28320 (2/4) [oss-security] curl: CVE-2023-28320: siglongjmp race condition | Tue May 09 12:16:30 2023 Wed May 17 06:41:18 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28320 |
| curl | [vs-plain] : curl pre-notification: CVE-2023-28321 (3/4) [oss-security] curl: CVE-2023-28321: IDN wildcard match | Tue May 09 12:17:16 2023 Wed May 17 06:41:21 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28321 |
| curl | [vs-plain] : curl pre-notification: CVE-2023-28322 (4/4) [oss-security] curl: CVE-2023-28322: more POST-after-PUT confusion | Tue May 09 12:17:29 2023 Wed May 17 06:41:26 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28322 |
| cups-filters | [vs-plain] CVE-2023-24805: RCE in cups-filters, beh CUPS backend [oss-security] CVE-2023-24805: RCE in cups-filters, beh CUPS backend | Wed May 10 12:45:42 2023 Wed May 17 12:14:29 2023 | 6.98 | May 17, 2023 | CVE-2023-24805 GHSA-gpxc-v2m8-fr3x |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory | Tue May 16 14:13:29 2023 Tue May 30 13:53:09 2023 | 13.99 | 30th May 2023 | CVE-2023-2650 |
| c-ares | [vs-plain] c-ares security vulns [oss-security] c-ares multiple vulnerabilities: CVE-2023-32067, CVE-2023-31147, CVE-2023-31130, CVE-2023-31124 | Fri May 19 23:08:20 2023 Mon May 22 12:53:13 2023 | 2.57 | 5/22/2023 | CVE-2023-32067 CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 |
| CUPS | [vs-plain] EMBARGOED CVE-2023-32324 heap buffer overflow in cupsd [oss-security] [vs] CVE-2023-32324 heap buffer overflow in cupsd | Tue May 23 10:06:35 2023 Thu Jun 01 10:49:58 2023 | 9.03 | June 1st 2023, 12:00 PM CET | CVE-2023-32324 |
| open-vm-tools | [vs] [EMBARGOED] CVE-2023-20867 [oss-security] CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module https://www.vmware.com/security/advisories/VMSA-2023-0013.html | Tue Jun 06 15:31:40 2023 Mon Oct 16 01:49:50 2023 Tue Jun 13 15:31:40 2023 | 131.43 7.00 | June 13th, 2023 | CVE-2023-20867 VMSA-2023-0013 |
| cpdb-libs | [vs-plain] CVE-2023-34095: Buffer overflows via scanf [oss-security] CVE-2023-34095: cpdb-libs: Buffer overflows via scanf | Tue Jun 06 17:37:22 2023 Wed Jun 14 17:18:55 2023 | 7.99 | June 14, 2023 | CVE-2023-34095 GHSA-25j7-9gfc-f46x |
| libX11 | [vs-plain] Embargoed X.Org Security Advisory: Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138] [oss-security] Fwd: [ANNOUNCE] X.Org Security Advisory: Sub-object overflows in libX11 | Fri Jun 09 00:16:11 2023 Thu Jun 15 16:40:01 2023 | 6.68 | June 15, 2023 | CVE-2023-3138 |
| CUPS | [vs-plain] EMBARGOED CVE-2023-34241 use-after-free in cupsdAcceptClient() [oss-security] CVE-2023-34241: CUPS: use-after-free in cupsdAcceptClient() | Tue Jun 13 10:28:42 2023 Thu Jun 22 10:57:45 2023 | 9.02 | June 22nd, 12:00 PM CET | CVE-2023-34241 |
| Linux | [vs-plain] DirtyVMA: Privilege escalation via non-RCU-protected VMA traversal [oss-security] StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability | Wed Jun 14 17:36:30 2023 Wed Jul 05 12:18:37 2023 | 20.78 | June 22 or June 23 June 29, 17:30 UTC Wednesday, July 5 | CVE-2023-3269 StackRot |
| Linux | [vs-plain] DECnet vulnerability disclosure [oss-security] CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet | Sat Jun 17 22:58:37 2023 Sat Jun 24 16:24:01 2023 | 6.73 | 7-day embargo | CVE-2023-3338 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-2828, CVE-2023-2911) | Tue Jun 20 12:08:48 2023 Wed Jun 21 17:14:40 2023 | 1.21 | 21 June 2023 | CVE-2023-2828 CVE-2023-2911 |
| curl | [vs-plain] : curl: CVE-2023-32001: fopen race condition [oss-security] curl: fopen race condition: CVE-2023-32001 | Wed Jul 12 08:17:32 2023 Wed Jul 19 06:31:07 2023 | 6.93 | July 19 2023 | CVE-2023-32001 |
| AMD Zen2 | [vs-plain] CVE-2023-20593: A use-after-free in AMD Zen2 Processors [oss-security] CVE-2023-20593: A use-after-free in AMD Zen2 Processors https://lore.kernel.org/linux-firmware/20230718231959.3163407-1-john.allen@amd.com/T/#maa00a9e4b26bcdbf0370b24bdb082639ad0b8dd6 | Sat Jul 22 17:42:37 2023 Mon Jul 24 14:28:36 2023 Wed Jul 19 19:18:19 2023 | 1.87 -2.93 | current plan is Monday | CVE-2023-20593 |
| Cargo | [vs-plain] CVE-2023-38497: Cargo does not respect the umask when extracting dependencies [oss-security] CVE-2023-38497: Cargo does not respect umask when extracting packages | Mon Jul 31 09:31:14 2023 Thu Aug 03 12:06:04 2023 | 3.11 | August 3rd, 2023 at 12pm UTC | CVE-2023-38497 |
| open-vm-tools | [vs] [EMBARGOED] CVE-2023-20900 [oss-security] [Security Advisory] open-vm-tools: SAML token signature bypass vulnerability (CVE-2023-20900) | Thu Aug 24 05:43:34 2023 Thu Aug 31 13:13:52 2023 | 7.31 | August 31st, 2023 | CVE-2023-20900 VMSA-2023-0019 |
| curl | [vs-plain] : curl: CVE-2023-38039: HTTP headers eat all memory [oss-security] CVE-2023-38039 curl: HTTP headers eat all memory | Wed Sep 06 06:24:35 2023 Wed Sep 13 06:31:38 2023 | 7.00 | September 13 2023 | CVE-2023-38039 |
| Linux | [vs-plain] integer overflow in Linux kernel leading exploitable memory access [oss-security] [CVE-2023-42752] integer overflow in Linux kernel leading to exploitable memory access | Thu Sep 07 23:24:26 2023 Mon Sep 18 23:10:48 2023 | 10.99 | CVE-2023-42752 | |
| Linux | [vs-plain] slab-out-of-bound access in the Linux kernel [oss-security] [CVE-2023-42753] Array Indexing error in Linux kernel https://lore.kernel.org/netdev/20230906162525.11079-6-fw@strlen.de/raw | Thu Sep 07 23:41:13 2023 Fri Sep 22 20:18:42 2023 Wed Sep 06 16:25:55 2023 | 14.86 -1.30 | Tentatively on Sep 21 | CVE-2023-42753 |
| cups, libppd | [vs-plain] EMBARGOED CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow [oss-security] CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow | Tue Sep 12 06:44:19 2023 Wed Sep 20 13:05:26 2023 | 8.26 | September 20th 2023, 14:00 CET | CVE-2023-4504 |
| Linux | [vs-plain] null pointer dereference in Linux kernel ipv4 stack [oss-security] [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack | Mon Sep 18 21:47:31 2023 Mon Oct 02 20:07:33 2023 | 13.93 | Oct 2 | CVE-2023-42754 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236) | Tue Sep 19 06:29:56 2023 Wed Sep 20 12:40:08 2023 | 1.26 | 20 September 2023 | CVE-2023-3341 CVE-2023-4236 |
| glibc | [vs] CVE-2023-4911 [oss-security] CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so | Tue Sep 19 22:19:39 2023 Tue Oct 03 17:50:56 2023 | 13.81 | October 3, 2023, 17:00 UTC | CVE-2023-4911 |
| Linux | [vs-plain] Linux kernel wild pointer access ⇐ v6.2 [oss-security] [CVE-2023-42755] Linux kernel wild pointer access <= v6.2 https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pE02BknG9qnQ@mail.gmail.com/ | Sat Sep 23 02:06:51 2023 Mon Sep 25 21:26:18 2023 Fri Sep 08 00:02:06 2023 | 2.81 -15.09 | Sep 29th right away | CVE-2023-42755 |
| Linux | [vs-plain] Linux kernel race condition in netfilter [oss-security] [CVE-2023-42756] Linux kernel race condition in netfilter | Sat Sep 23 02:29:21 2023 Wed Sep 27 20:50:38 2023 | 4.76 | Sep 27th | CVE-2023-42756 |
| Linux | [vs-plain] NVMe-of/TCP Security Issue Report [oss-security] CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto` https://lore.kernel.org/all/20231004173226.5992-1-sj@kernel.org/T/ | Mon Sep 25 09:17:34 2023 Sun Oct 15 15:47:22 2023 Mon Oct 02 10:54:46 2023 | 20.27 7.07 | aware of the 14-day maximum | CVE-2023-5178 |
| libcue | [vs] CVE-2023-43641 (GHSL-2023-197) [oss-security] CVE-2023-43641: out-of-bounds array access in libcue 2.2.1 | Tue Sep 26 08:12:41 2023 Mon Oct 09 17:13:07 2023 | 13.38 | 2023-10-09T17+00:00 | CVE-2023-43641 GHSL-2023-197 |
| libX11 & libXpm | [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in libX11 & libXpm [oss-security] Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 | Tue Sep 26 17:15:59 2023 Tue Oct 03 16:32:00 2023 | 6.97 | October 3, 2023 | CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789 |
| curl | [vs-plain] : CVE-2023-38545 curl SOCKS5 heap buffer overflow (1/2) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-38545: SOCKS5 heap buffer overflow | Tue Oct 03 06:57:43 2023 Wed Oct 11 05:58:55 2023 | 7.96 | October 11, around 06:00 UTC | CVE-2023-38545 |
| curl | [vs-plain] : CVE-2023-38546 curl cookie injection with none file (2/2) [oss-security] [SECURITY ADVISORY] curl: CVE-2023-38546 | Tue Oct 03 06:57:52 2023 Wed Oct 11 05:59:15 2023 | 7.96 | October 11 2023 | CVE-2023-38546 |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory | Tue Oct 10 14:57:08 2023 Tue Oct 24 15:14:46 2023 | 14.01 | 24th October 2023 | CVE-2023-5363 GHSA-q3f8-53qj-r58x |
| X.Org X server | [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in X.Org X server [oss-security] FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 https://lists.x.org/archives/xorg-announce/2023-October/003430.html | Tue Oct 17 05:13:14 2023 Wed Oct 25 11:06:15 2023 Wed Oct 25 01:53:55 2023 | 8.25 7.86 | October 25, 2023 | CVE-2023-5367 CVE-2023-5380 CVE-2023-5574 ZDI-CAN-22153 ZDI-CAN-21608 ZDI-CAN-21213 |
| open-vm-tools | [vs-plain] SAML Bypass in VMware Tools CVE-2023-34058 [oss-security] CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools | Thu Oct 19 18:43:23 2023 Fri Oct 27 08:36:14 2023 | 7.58 | October 26th, 2023 | CVE-2023-34058 |
| open-vm-tools | [vs-plain] file descriptor hijack in VMware Tools CVE-2023-34059 [oss-security] CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools | Thu Oct 19 18:43:46 2023 Fri Oct 27 08:36:17 2023 | 7.58 | October 26th, 2023 | CVE-2023-34059 |
| Intel CPUs | [vs] … [oss-security] CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) | Thu Nov 09 23:51:52 2023 Tue Nov 14 18:36:44 2023 | 4.78 | November 14th, 10 am Pacific Time | CVE-2023-23583 |
| curl | [vs-plain] : curl pre-notification: CVE-2023-46218 (1/2) [oss-security] [SECURITY ADVISORY] curl: cookie mixed case PSL bypass https://github.com/curl/curl/pull/12387 | Tue Nov 28 07:04:22 2023 Wed Dec 06 07:29:18 2023 Thu Nov 23 07:16:00 2023 | 8.02 -4.99 | 07:00 UTC on December 6 | CVE-2023-46218 |
| curl | [vs-plain] : curl pre-notification: CVE-2023-46219 (2/2) [oss-security] [SECURITY ADVISORY] curl: HSTS long file name clears contents https://github.com/curl/curl/pull/12388 | Tue Nov 28 07:04:40 2023 Wed Dec 06 07:29:58 2023 Thu Nov 23 07:24:00 2023 | 8.02 -4.99 | 07:00 UTC on December 6 | CVE-2023-46219 |
| X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland [oss-security] FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3 https://lists.x.org/archives/xorg-announce/2023-December/003435.html | Tue Dec 05 21:17:38 2023 Wed Dec 13 13:03:51 2023 Wed Dec 13 02:02:10 2023 | 7.66 7.20 | December 13, 2023 00:00 UTC | CVE-2023-6377 CVE-2023-6478 ZDI-CAN-22412 ZDI-CAN-22413 ZDI-CAN-22561 |
| SSH protocol | [vs] … [oss-security] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ | Mon Dec 11 15:40:29 2023 Mon Dec 18 16:47:26 2023 Tue Dec 12 20:56:36 2023 | 7.05 1.22 | 18th of December 2023 15:00 UTC | CVE-2023-48795 |
| Debian cpio | [vs-plain] Security vulnerability in Debian's cpio 2.13 [oss-security] Security vulnerability in Debian's cpio 2.13 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163 | Sun Dec 17 15:50:53 2023 Thu Dec 21 16:50:17 2023 Wed Dec 20 19:03:02 2023 | 4.04 3.13 | 2023-12-27 | |
| xarchiver | [vs-plain] xarchiver: Path traversal with crafted cpio archives [oss-security] xarchiver: Path traversal with crafted cpio archives | Sun Dec 17 15:50:53 2023 Wed Dec 27 13:42:05 2023 | 9.91 | 2023-12-27 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.