This is an old revision of the document!
Statistics are grouped by month of the issue being reported to the private list.
Month | Reports | Average | Median | Min | Max embargo days |
---|---|---|---|---|---|
2023-05 | 12 | 7.51 | 7.68 | 2.57 | 13.99 |
2023-06 | 7 | 26.26 | 7.99 | 1.21 | 131.43 |
2023-07 | 3 | 3.97 | 3.11 | 1.87 | 6.93 |
2023-08 | 1 | 7.31 | 7.31 | 7.31 | 7.31 |
2023-09 | 12 | 9.86 | 9.63 | 1.26 | 20.27 |
Total | 35 | 11.76 | 7.60 | 1.21 | 131.43 |
Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
---|---|---|---|---|---|
Linux | [vs-plain] Linux kernel LPE due to use-after-free in Netfilter nf_tables [oss-security] [CVE-2023-32233] Linux kernel use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary reads and writes in kernel memory https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c1592a89942e9678f7d9c8030efa777c0d57edab | Tue May 02 08:28:08 2023 Mon May 08 15:58:45 2023 Wed May 03 06:24:32 2023 | 6.31 0.91 | Once the fix becomes public Monday (May 8th) | CVE-2023-32233 |
Linux | [vs-plain] linux >= 6.3-rc4: OOB physical memory read/write via io_uring [oss-security] Linux kernel io_uring out-of-bounds access to physical memory https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=776617db78c6d208780e7c69d4d68d1fa82913de | Tue May 02 16:28:39 2023 Mon May 08 14:34:55 2023 Wed May 03 15:00:22 2023 | 5.92 0.94 | 2023-05-08 15:00 UTC 12:00 UTC, Sunday 2023-05-07 | CVE-2023-2598 |
OpenStack | [vs] Vulnerability in OpenStack cinder, glance_store, nova, os-brick (CVE-2023-2088) [oss-security] [OSSA-2023-003] cinder, glance_store, nova, os-brick: Unauthorized volume access through deleted volume attachments (CVE-2023-2088) | Thu May 04 00:57:23 2023 Wed May 10 17:21:16 2023 | 6.68 | 2023-05-10, 1500UTC | CVE-2023-2088 OSSA-2023-003 |
libcap | [vs-plain] pre-announcement libcap-2.69 release 2023-05-15 [oss-security] libcap-2.69 addresses 2 CVEs https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe | Mon May 08 01:41:19 2023 Mon May 15 16:00:06 2023 Mon May 15 02:10:04 2023 | 7.60 7.02 | 2023-05-15 | LCAP-CR-23-01 LCAP-CR-23-02 CVE-2023-2602 CVE-2023-2603 |
curl | [vs-plain] : curl pre-notification: CVE-2023-28319 (1/4) [oss-security] curl: CVE-2023-28319: UAF in SSH sha256 fingerprint check | Tue May 09 12:16:16 2023 Wed May 17 06:41:12 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28319 |
curl | [vs-plain] : curl pre-notification: CVE-2023-28320 (2/4) [oss-security] curl: CVE-2023-28320: siglongjmp race condition | Tue May 09 12:16:30 2023 Wed May 17 06:41:18 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28320 |
curl | [vs-plain] : curl pre-notification: CVE-2023-28321 (3/4) [oss-security] curl: CVE-2023-28321: IDN wildcard match | Tue May 09 12:17:16 2023 Wed May 17 06:41:21 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28321 |
curl | [vs-plain] : curl pre-notification: CVE-2023-28322 (4/4) [oss-security] curl: CVE-2023-28322: more POST-after-PUT confusion | Tue May 09 12:17:29 2023 Wed May 17 06:41:26 2023 | 7.77 | 06:00 UTC on May 17th | CVE-2023-28322 |
cups-filters | [vs-plain] CVE-2023-24805: RCE in cups-filters, beh CUPS backend [oss-security] CVE-2023-24805: RCE in cups-filters, beh CUPS backend | Wed May 10 12:45:42 2023 Wed May 17 12:14:29 2023 | 6.98 | May 17, 2023 | CVE-2023-24805 GHSA-gpxc-v2m8-fr3x |
OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] OpenSSL Security Advisory | Tue May 16 14:13:29 2023 Tue May 30 13:53:09 2023 | 13.99 | 30th May 2023 | CVE-2023-2650 |
c-ares | [vs-plain] c-ares security vulns [oss-security] c-ares multiple vulnerabilities: CVE-2023-32067, CVE-2023-31147, CVE-2023-31130, CVE-2023-31124 | Fri May 19 23:08:20 2023 Mon May 22 12:53:13 2023 | 2.57 | 5/22/2023 | CVE-2023-32067 CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 |
CUPS | [vs-plain] EMBARGOED CVE-2023-32324 heap buffer overflow in cupsd [oss-security] [vs] CVE-2023-32324 heap buffer overflow in cupsd | Tue May 23 10:06:35 2023 Thu Jun 01 10:49:58 2023 | 9.03 | June 1st 2023, 12:00 PM CET | CVE-2023-32324 |
open-vm-tools | [vs] [EMBARGOED] CVE-2023-20867 [oss-security] CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module https://www.vmware.com/security/advisories/VMSA-2023-0013.html | Tue Jun 06 15:31:40 2023 Mon Oct 16 01:49:50 2023 Tue Jun 13 15:31:40 2023 | 131.43 7.00 | June 13th, 2023 | CVE-2023-20867 VMSA-2023-0013 |
cpdb-libs | [vs-plain] CVE-2023-34095: Buffer overflows via scanf [oss-security] CVE-2023-34095: cpdb-libs: Buffer overflows via scanf | Tue Jun 06 17:37:22 2023 Wed Jun 14 17:18:55 2023 | 7.99 | June 14, 2023 | CVE-2023-34095 GHSA-25j7-9gfc-f46x |
libX11 | [vs-plain] Embargoed X.Org Security Advisory: Buffer overflows in InitExt.c in libX11 prior to 1.8.6 [CVE-2023-3138] [oss-security] Fwd: [ANNOUNCE] X.Org Security Advisory: Sub-object overflows in libX11 | Fri Jun 09 00:16:11 2023 Thu Jun 15 16:40:01 2023 | 6.68 | June 15, 2023 | CVE-2023-3138 |
CUPS | [vs-plain] EMBARGOED CVE-2023-34241 use-after-free in cupsdAcceptClient() [oss-security] CVE-2023-34241: CUPS: use-after-free in cupsdAcceptClient() | Tue Jun 13 10:28:42 2023 Thu Jun 22 10:57:45 2023 | 9.02 | June 22nd, 12:00 PM CET | CVE-2023-34241 |
Linux | [vs-plain] DirtyVMA: Privilege escalation via non-RCU-protected VMA traversal [oss-security] StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability | Wed Jun 14 17:36:30 2023 Wed Jul 05 12:18:37 2023 | 20.78 | June 22 or June 23 June 29, 17:30 UTC Wednesday, July 5 | CVE-2023-3269 StackRot |
Linux | [vs-plain] DECnet vulnerability disclosure [oss-security] CVE-2023-3338: Linux Kernel NULL Pointer Dereference in DECnet | Sat Jun 17 22:58:37 2023 Sat Jun 24 16:24:01 2023 | 6.73 | 7-day embargo | CVE-2023-3338 |
BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-2828, CVE-2023-2911) | Tue Jun 20 12:08:48 2023 Wed Jun 21 17:14:40 2023 | 1.21 | 21 June 2023 | CVE-2023-2828 CVE-2023-2911 |
curl | [vs-plain] : curl: CVE-2023-32001: fopen race condition [oss-security] curl: fopen race condition: CVE-2023-32001 | Wed Jul 12 08:17:32 2023 Wed Jul 19 06:31:07 2023 | 6.93 | July 19 2023 | CVE-2023-32001 |
AMD Zen2 | [vs-plain] CVE-2023-20593: A use-after-free in AMD Zen2 Processors [oss-security] CVE-2023-20593: A use-after-free in AMD Zen2 Processors https://lore.kernel.org/linux-firmware/20230718231959.3163407-1-john.allen@amd.com/T/#maa00a9e4b26bcdbf0370b24bdb082639ad0b8dd6 | Sat Jul 22 17:42:37 2023 Mon Jul 24 14:28:36 2023 Wed Jul 19 19:18:19 2023 | 1.87 -2.93 | current plan is Monday | CVE-2023-20593 |
Cargo | [vs-plain] CVE-2023-38497: Cargo does not respect the umask when extracting dependencies [oss-security] CVE-2023-38497: Cargo does not respect umask when extracting packages | Mon Jul 31 09:31:14 2023 Thu Aug 03 12:06:04 2023 | 3.11 | August 3rd, 2023 at 12pm UTC | CVE-2023-38497 |
open-vm-tools | [vs] [EMBARGOED] CVE-2023-20900 [oss-security] [Security Advisory] open-vm-tools: SAML token signature bypass vulnerability (CVE-2023-20900) | Thu Aug 24 05:43:34 2023 Thu Aug 31 13:13:52 2023 | 7.31 | August 31st, 2023 | CVE-2023-20900 VMSA-2023-0019 |
curl | [vs-plain] : curl: CVE-2023-38039: HTTP headers eat all memory [oss-security] CVE-2023-38039 curl: HTTP headers eat all memory | Wed Sep 06 06:24:35 2023 Wed Sep 13 06:31:38 2023 | 7.00 | September 13 2023 | CVE-2023-38039 |
Linux | [vs-plain] integer overflow in Linux kernel leading exploitable memory access [oss-security] [CVE-2023-42752] integer overflow in Linux kernel leading to exploitable memory access | Thu Sep 07 23:24:26 2023 Mon Sep 18 23:10:48 2023 | 10.99 | CVE-2023-42752 | |
Linux | [vs-plain] slab-out-of-bound access in the Linux kernel [oss-security] [CVE-2023-42753] Array Indexing error in Linux kernel https://lore.kernel.org/netdev/20230906162525.11079-6-fw@strlen.de/raw | Thu Sep 07 23:41:13 2023 Fri Sep 22 20:18:42 2023 Wed Sep 06 16:25:55 2023 | 14.86 -1.30 | Tentatively on Sep 21 | CVE-2023-42753 |
cups, libppd | [vs-plain] EMBARGOED CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow [oss-security] CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow | Tue Sep 12 06:44:19 2023 Wed Sep 20 13:05:26 2023 | 8.26 | September 20th 2023, 14:00 CET | CVE-2023-4504 |
Linux | [vs-plain] null pointer dereference in Linux kernel ipv4 stack [oss-security] [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack | Mon Sep 18 21:47:31 2023 Mon Oct 02 20:07:33 2023 | 13.93 | Oct 2 | CVE-2023-42754 |
BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236) | Tue Sep 19 06:29:56 2023 Wed Sep 20 12:40:08 2023 | 1.26 | 20 September 2023 | CVE-2023-3341 CVE-2023-4236 |
glibc | [vs] CVE-2023-4911 [oss-security] CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so | Tue Sep 19 22:19:39 2023 Tue Oct 03 17:50:56 2023 | 13.81 | October 3, 2023, 17:00 UTC | CVE-2023-4911 |
Linux | [vs-plain] Linux kernel wild pointer access ⇐ v6.2 [oss-security] [CVE-2023-42755] Linux kernel wild pointer access <= v6.2 https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pE02BknG9qnQ@mail.gmail.com/ | Sat Sep 23 02:06:51 2023 Mon Sep 25 21:26:18 2023 Fri Sep 08 00:02:06 2023 | 2.81 -15.09 | Sep 29th right away | CVE-2023-42755 |
Linux | [vs-plain] Linux kernel race condition in netfilter [oss-security] [CVE-2023-42756] Linux kernel race condition in netfilter | Sat Sep 23 02:29:21 2023 Wed Sep 27 20:50:38 2023 | 4.76 | Sep 27th | CVE-2023-42756 |
Linux | [vs-plain] NVMe-of/TCP Security Issue Report [oss-security] CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto` https://lore.kernel.org/all/20231004173226.5992-1-sj@kernel.org/T/ | Mon Sep 25 09:17:34 2023 Sun Oct 15 15:47:22 2023 Mon Oct 02 10:54:46 2023 | 20.27 7.07 | aware of the 14-day maximum | CVE-2023-5178 |
libcue | [vs] CVE-2023-43641 (GHSL-2023-197) [oss-security] CVE-2023-43641: out-of-bounds array access in libcue 2.2.1 | Tue Sep 26 08:12:41 2023 Mon Oct 09 17:13:07 2023 | 13.38 | 2023-10-09T17+00:00 | CVE-2023-43641 GHSL-2023-197 |
libX11 & libXpm | [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in libX11 & libXpm [oss-security] Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 | Tue Sep 26 17:15:59 2023 Tue Oct 03 16:32:00 2023 | 6.97 | October 3, 2023 | CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 CVE-2023-43788 CVE-2023-43789 |
The data here is unfortunately incomplete and unreliable, resulting from automated processing of input that wasn't meant to be fully machine-readable.
Project | Subject | Reported | Coordinated Release Date | Time of oss-security posting | CVE(s) | Days embargoed (scheduled) | Days embargoed (oss-security) |
---|---|---|---|---|---|---|---|
February | |||||||
less CVE-2022-46663 | 2023-02-01T06:55:51+00:00 | 2023-02-08T06:55:51+00:00 | 2023-02-07T18:49:47+00:00 | CVE-2022-46663 | 7.00 | 6.46 | |
January | |||||||
Preview of X.Org Security Advisory for 2023-02-07 | 2023-01-30T22:33:32+00:00 | 2023-02-06T22:33:32+00:00 | 2023-02-07T01:36:35+00:00 | CVE-2022-0494 CVE-2023-0494 | 7.00 | 7.12 | |
pesign: Local privilege escalation on pesign systemd service | 2023-01-27T20:44:55+00:00 | 2023-02-03T20:44:55+00:00 | 2023-01-31T15:59:19+00:00 | CVE-2022-3560 | 7.00 | 3.79 | |
Embargoed OpenSSL security issues | 2023-01-25T12:02:01+00:00 | 2023-02-07T00:00:00+00:00 | 2023-02-07T19:28:51+00:00 | CVE-2022-4203 CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0216 CVE-2023-0217 CVE-2023-0286 CVE-2023-0401 | 12.46 | 13.29 | |
… | 2023-01-24T11:58:47+00:00 | 2023-01-31T11:58:47+00:00 | 2023-01-25T17:05:43+00:00 | CVE-2022-3094 CVE-2022-3736 CVE-2022-3924 | 7.00 | 1.21 | |
Re: Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951) | 2023-01-17T21:53:09+00:00 | 2023-01-24T21:53:09+00:00 | 2023-01-24T16:08:18+00:00 | CVE-2022-47951 | 7.00 | 6.75 | |
null pointer dereference in Linux kernel | 2023-01-15T05:12:43+00:00 | 2023-01-22T05:12:43+00:00 | 2023-01-18T20:26:46+00:00 | CVE-2023-0394 | 7.00 | 3.62 | |
Re: PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination | 2023-01-13T11:17:46+00:00 | 2023-01-20T11:17:46+00:00 | 2023-01-20T12:19:43+00:00 | CVE-2023-22617 | 7.00 | 7.04 | |
Re: Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 | 2023-01-12T23:41:22+00:00 | 2023-01-19T23:41:22+00:00 | 2023-01-17T16:47:45+00:00 | CVE-2022-4883 | 7.00 | 4.71 | |
… | 2023-01-12T14:17:07+00:00 | 2023-01-19T14:17:07+00:00 | 2023-01-19T00:33:43+00:00 | CVE-2023-22809 | 7.00 | 6.42 | |
Netfilter vulnerability disclosure | 2023-01-11T01:26:17+00:00 | 2023-01-18T01:26:17+00:00 | 2023-01-13T15:22:47+00:00 | CVE-2022-1015 CVE-2023-0179 | 7.00 | 2.54 | |
Re: Vulnerability in OpenStack Swift (CVE-2022-47950) | 2023-01-11T00:35:00+00:00 | 2023-01-18T00:35:00+00:00 | 2023-01-17T16:01:11+00:00 | CVE-2022-47950 | 7.00 | 6.62 | |
Upcoming Git security fix release | 2023-01-10T23:08:02+00:00 | 2023-01-17T23:08:02+00:00 | 2023-01-17T18:06:10+00:00 | CVE-2022-23521 CVE-2022-41903 | 7.00 | 6.75 | |
Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 | 2023-01-10T18:12:18+00:00 | 2023-01-17T18:12:18+00:00 | 2023-01-17T16:47:45+00:00 | CVE-2022-44617 CVE-2022-46285 CVE-2022-4883 | 7.00 | 6.92 | |
Re: CVE-2022-46176: Cargo does not check SSH host keys | 2023-01-05T16:48:13+00:00 | 2023-01-12T16:48:13+00:00 | 2023-01-10T16:45:06+00:00 | CVE-2022-46176 | 7.00 | 4.96 |