This is an old revision of the document!
Statistics are grouped by month of the issue being reported to the private list.
| Month | Reports | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|
| 2023-06 | 7 | 26.26 | 7.99 | 1.21 | 131.43 |
| 2023-07 | 3 | 3.97 | 3.11 | 1.87 | 6.93 |
| 2023-08 | 1 | 7.31 | 7.31 | 7.31 | 7.31 |
| 2023-09 | 12 | 9.86 | 9.63 | 1.26 | 20.27 |
| Total | 23 | 13.97 | 7.31 | 1.21 | 131.43 |
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| open-vm-tools | [vs] [EMBARGOED] CVE-2023-20867 [oss-security] CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module https://www.vmware.com/security/advisories/VMSA-2023-0013.html | Tue Jun 06 15:31:40 2023 Mon Oct 16 01:49:50 2023 Tue Jun 13 15:31:40 2023 | 131.43 7.00 | June 13th, 2023 | CVE-2023-20867 VMSA-2023-0013 |
| cpdb-libs | [vs-plain] CVE-2023-34095: Buffer overflows via scanf [oss-security] CVE-2023-34095: cpdb-libs: Buffer overflows via scanf | Tue Jun 06 17:37:22 2023 Wed Jun 14 17:18:55 2023 | 7.99 | June 14, 2023 | CVE-2023-34095 GHSA-25j7-9gfc-f46x |
| libX11 | [vs-plain] Embargoed X.Org Security Advisory: Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138] [oss-security] Fwd: [ANNOUNCE] X.Org Security Advisory: Sub-object overflows in libX11 | Fri Jun 09 00:16:11 2023 Thu Jun 15 16:40:01 2023 | 6.68 | June 15, 2023 | CVE-2023-3138 |
| CUPS | [vs-plain] EMBARGOED CVE-2023-34241 use-after-free in cupsdAcceptClient() [oss-security] CVE-2023-34241: CUPS: use-after-free in cupsdAcceptClient() | Tue Jun 13 10:28:42 2023 Thu Jun 22 10:57:45 2023 | 9.02 | June 22nd, 12:00 PM CET | CVE-2023-34241 |
| Linux | [vs-plain] DirtyVMA: Privilege escalation via non-RCU-protected VMA traversal [oss-security] StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability | Wed Jun 14 17:36:30 2023 Wed Jul 05 12:18:37 2023 | 20.78 | June 22 or June 23 June 29, 17:30 UTC Wednesday, July 5 | CVE-2023-3269 StackRot |
| Linux | [vs-plain] DECnet vulnerability disclosure [oss-security] CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet | Sat Jun 17 22:58:37 2023 Sat Jun 24 16:24:01 2023 | 6.73 | 7-day embargo | CVE-2023-3338 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-2828, CVE-2023-2911) | Tue Jun 20 12:08:48 2023 Wed Jun 21 17:14:40 2023 | 1.21 | 21 June 2023 | CVE-2023-2828 CVE-2023-2911 |
| curl | [vs-plain] : curl: CVE-2023-32001: fopen race condition [oss-security] curl: fopen race condition: CVE-2023-32001 | Wed Jul 12 08:17:32 2023 Wed Jul 19 06:31:07 2023 | 6.93 | July 19 2023 | CVE-2023-32001 |
| AMD Zen2 | [vs-plain] CVE-2023-20593: A use-after-free in AMD Zen2 Processors [oss-security] CVE-2023-20593: A use-after-free in AMD Zen2 Processors https://lore.kernel.org/linux-firmware/20230718231959.3163407-1-john.allen@amd.com/T/#maa00a9e4b26bcdbf0370b24bdb082639ad0b8dd6 | Sat Jul 22 17:42:37 2023 Mon Jul 24 14:28:36 2023 Wed Jul 19 19:18:19 2023 | 1.87 -2.93 | current plan is Monday | CVE-2023-20593 |
| Cargo | [vs-plain] CVE-2023-38497: Cargo does not respect the umask when extracting dependencies [oss-security] CVE-2023-38497: Cargo does not respect umask when extracting packages | Mon Jul 31 09:31:14 2023 Thu Aug 03 12:06:04 2023 | 3.11 | August 3rd, 2023 at 12pm UTC | CVE-2023-38497 |
| open-vm-tools | [vs] [EMBARGOED] CVE-2023-20900 [oss-security] [Security Advisory] open-vm-tools: SAML token signature bypass vulnerability (CVE-2023-20900) | Thu Aug 24 05:43:34 2023 Thu Aug 31 13:13:52 2023 | 7.31 | August 31st, 2023 | CVE-2023-20900 VMSA-2023-0019 |
| curl | [vs-plain] : curl: CVE-2023-38039: HTTP headers eat all memory [oss-security] CVE-2023-38039 curl: HTTP headers eat all memory | Wed Sep 06 06:24:35 2023 Wed Sep 13 06:31:38 2023 | 7.00 | September 13 2023 | CVE-2023-38039 |
| Linux | [vs-plain] integer overflow in Linux kernel leading exploitable memory access [oss-security] [CVE-2023-42752] integer overflow in Linux kernel leading to exploitable memory access | Thu Sep 07 23:24:26 2023 Mon Sep 18 23:10:48 2023 | 10.99 | CVE-2023-42752 | |
| Linux | [vs-plain] slab-out-of-bound access in the Linux kernel [oss-security] [CVE-2023-42753] Array Indexing error in Linux kernel https://lore.kernel.org/netdev/20230906162525.11079-6-fw@strlen.de/raw | Thu Sep 07 23:41:13 2023 Fri Sep 22 20:18:42 2023 Wed Sep 06 16:25:55 2023 | 14.86 -1.30 | Tentatively on Sep 21 | CVE-2023-42753 |
| cups, libppd | [vs-plain] EMBARGOED CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow [oss-security] CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow | Tue Sep 12 06:44:19 2023 Wed Sep 20 13:05:26 2023 | 8.26 | September 20th 2023, 14:00 CET | CVE-2023-4504 |
| Linux | [vs-plain] null pointer dereference in Linux kernel ipv4 stack [oss-security] [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack | Mon Sep 18 21:47:31 2023 Mon Oct 02 20:07:33 2023 | 13.93 | Oct 2 | CVE-2023-42754 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236) | Tue Sep 19 06:29:56 2023 Wed Sep 20 12:40:08 2023 | 1.26 | 20 September 2023 | CVE-2023-3341 CVE-2023-4236 |
| glibc | [vs] CVE-2023-4911 [oss-security] CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so | Tue Sep 19 22:19:39 2023 Tue Oct 03 17:50:56 2023 | 13.81 | October 3, 2023, 17:00 UTC | CVE-2023-4911 |
| Linux | [vs-plain] Linux kernel wild pointer access ⇐ v6.2 [oss-security] [CVE-2023-42755] Linux kernel wild pointer access <= v6.2 https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pE02BknG9qnQ@mail.gmail.com/ | Sat Sep 23 02:06:51 2023 Mon Sep 25 21:26:18 2023 Fri Sep 08 00:02:06 2023 | 2.81 -15.09 | Sep 29th right away | CVE-2023-42755 |
| Linux | [vs-plain] Linux kernel race condition in netfilter [oss-security] [CVE-2023-42756] Linux kernel race condition in netfilter | Sat Sep 23 02:29:21 2023 Wed Sep 27 20:50:38 2023 | 4.76 | Sep 27th | CVE-2023-42756 |
| Linux | [vs-plain] NVMe-of/TCP Security Issue Report [oss-security] CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto` https://lore.kernel.org/all/20231004173226.5992-1-sj@kernel.org/T/ | Mon Sep 25 09:17:34 2023 Sun Oct 15 15:47:22 2023 Mon Oct 02 10:54:46 2023 | 20.27 7.07 | aware of the 14-day maximum | CVE-2023-5178 |
| libcue | [vs] CVE-2023-43641 (GHSL-2023-197) [oss-security] CVE-2023-43641: out-of-bounds array access in libcue 2.2.1 | Tue Sep 26 08:12:41 2023 Mon Oct 09 17:13:07 2023 | 13.38 | 2023-10-09T17+00:00 | CVE-2023-43641 GHSL-2023-197 |
| libX11 & libXpm | [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in libX11 & libXpm [oss-security] Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 | Tue Sep 26 17:15:59 2023 Tue Oct 03 16:32:00 2023 | 6.97 | October 3, 2023 | CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789 |
The data here is unfortunately incomplete and unreliable, resulting from automated processing of input that wasn't meant to be fully machine-readable.
| Project | Subject | Reported | Coordinated Release Date | Time of oss-security posting | CVE(s) | Days embargoed (scheduled) | Days embargoed (oss-security) |
|---|---|---|---|---|---|---|---|
| February | |||||||
| less CVE-2022-46663 | 2023-02-01T06:55:51+00:00 | 2023-02-08T06:55:51+00:00 | 2023-02-07T18:49:47+00:00 | CVE-2022-46663 | 7.00 | 6.46 | |
| January | |||||||
| Preview of X.Org Security Advisory for 2023-02-07 | 2023-01-30T22:33:32+00:00 | 2023-02-06T22:33:32+00:00 | 2023-02-07T01:36:35+00:00 | CVE-2022-0494 CVE-2023-0494 | 7.00 | 7.12 | |
| pesign: Local privilege escalation on pesign systemd service | 2023-01-27T20:44:55+00:00 | 2023-02-03T20:44:55+00:00 | 2023-01-31T15:59:19+00:00 | CVE-2022-3560 | 7.00 | 3.79 | |
| Embargoed OpenSSL security issues | 2023-01-25T12:02:01+00:00 | 2023-02-07T00:00:00+00:00 | 2023-02-07T19:28:51+00:00 | CVE-2022-4203 CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0216 CVE-2023-0217 CVE-2023-0286 CVE-2023-0401 | 12.46 | 13.29 | |
| … | 2023-01-24T11:58:47+00:00 | 2023-01-31T11:58:47+00:00 | 2023-01-25T17:05:43+00:00 | CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 | 7.00 | 1.21 | |
| Re: Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951) | 2023-01-17T21:53:09+00:00 | 2023-01-24T21:53:09+00:00 | 2023-01-24T16:08:18+00:00 | CVE-2022-47951 | 7.00 | 6.75 | |
| null pointer dereference in Linux kernel | 2023-01-15T05:12:43+00:00 | 2023-01-22T05:12:43+00:00 | 2023-01-18T20:26:46+00:00 | CVE-2023-0394 | 7.00 | 3.62 | |
| Re: PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination | 2023-01-13T11:17:46+00:00 | 2023-01-20T11:17:46+00:00 | 2023-01-20T12:19:43+00:00 | CVE-2023-22617 | 7.00 | 7.04 | |
| Re: Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 | 2023-01-12T23:41:22+00:00 | 2023-01-19T23:41:22+00:00 | 2023-01-17T16:47:45+00:00 | CVE-2022-4883 | 7.00 | 4.71 | |
| … | 2023-01-12T14:17:07+00:00 | 2023-01-19T14:17:07+00:00 | 2023-01-19T00:33:43+00:00 | CVE-2023-22809 | 7.00 | 6.42 | |
| Netfilter vulnerability disclosure | 2023-01-11T01:26:17+00:00 | 2023-01-18T01:26:17+00:00 | 2023-01-13T15:22:47+00:00 | CVE-2022-1015 CVE-2023-0179 | 7.00 | 2.54 | |
| Re: Vulnerability in OpenStack Swift (CVE-2022-47950) | 2023-01-11T00:35:00+00:00 | 2023-01-18T00:35:00+00:00 | 2023-01-17T16:01:11+00:00 | CVE-2022-47950 | 7.00 | 6.62 | |
| Upcoming Git security fix release | 2023-01-10T23:08:02+00:00 | 2023-01-17T23:08:02+00:00 | 2023-01-17T18:06:10+00:00 | CVE-2022-23521 CVE-2022-41903 | 7.00 | 6.75 | |
| Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 | 2023-01-10T18:12:18+00:00 | 2023-01-17T18:12:18+00:00 | 2023-01-17T16:47:45+00:00 | CVE-2022-44617 CVE-2022-46285 CVE-2022-4883 | 7.00 | 6.92 | |
| Re: CVE-2022-46176: Cargo does not check SSH host keys | 2023-01-05T16:48:13+00:00 | 2023-01-12T16:48:13+00:00 | 2023-01-10T16:45:06+00:00 | CVE-2022-46176 | 7.00 | 4.96 | |