Differences

This shows you the differences between two versions of the page.

--- mailing-lists:distros:stats:2023 [2023/11/03 01:18]
solar add March 2023
+++ mailing-lists:distros:stats:2023 [2023/12/28 20:30] (current)
solar add December 2023
@@ Line 1: / Line 1: @@
 ====== Distros list statistics and data for 2023 ======
-==== Statistics by month ====
+===== Statistics by month =====
 Statistics are grouped by month of the issue being reported to the private list.
-^ Month ^ Reports ^ Average ^ Median ^ Min ^ Max embargo days ^
+^ Month ^ All reports ^ Embargoed ^ Average ^ Median ^ Min ^ Max embargo days ^
-| 2023-03 | 11 | 28.85 | 6.83 | 4.07 | 237.20 |
+| 2023-01 | 16 | 16 | 43.52 | 6.78 | 1.22 | 307.22 |
-| 2023-04 | 4 | 7.92 | 6.21 | 4.14 | 15.13 |
+| 2023-02 | 14 | 11 | 29.70 | 6.93 | 5.68 | 256.01 |
-| 2023-05 | 12 | 7.51 | 7.68 | 2.57 | 13.99 |
+| 2023-03 | 11 | 11 | 28.85 | 6.83 | 4.07 | 237.20 |
-| 2023-06 | 7 | 26.26 | 7.99 | 1.21 | 131.43 |
+| 2023-04 | 4 | 4 | 7.92 | 6.21 | 4.14 | 15.13 |
-| 2023-07 | 3 | 3.97 | 3.11 | 1.87 | 6.93 |
+| 2023-05 | 12 | 12 | 7.51 | 7.68 | 2.57 | 13.99 |
-| 2023-08 | 1 | 7.31 | 7.31 | 7.31 | 7.31 |
+| 2023-06 | 7 | 7 | 26.26 | 7.99 | 1.21 | 131.43 |
-| 2023-09 | 12 | 9.86 | 9.63 | 1.26 | 20.27 |
+| 2023-07 | 3 | 3 | 3.97 | 3.11 | 1.87 | 6.93 |
-| 2023-10 | 6 | 8.89 | 7.96 | 7.58 | 14.01 |
+| 2023-08 | 1 | 1 | 7.31 | 7.31 | 7.31 | 7.31 |
-| Total | 56 | 14.53 | 7.45 | 1.21 | 237.20 |
+| 2023-09 | 12 | 12 | 9.86 | 9.63 | 1.26 | 20.27 |
+| 2023-10 | 6 | 6 | 8.89 | 7.96 | 7.58 | 14.01 |
+| 2023-11 | 3 | 3 | 6.94 | 8.02 | 4.78 | 8.02 |
+| 2023-12 | 4 | 4 | 7.16 | 7.35 | 4.04 | 9.91 |
+| Total | 93 | 90 | 20.96 | 7.03 | 1.21 | 307.22 |
-==== Input data ====
+The data for January 2023 excludes continued handling of some Linux kernel issues by the same reporter, who started reporting that group of related issues in December 2022.
+Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which only occurred in February 2023) are excluded from the calculation of average, median, and minimum embargo duration above.
+===== Formatted input data =====
+For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
+For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
 ^ Project ^ Subjects/titles/links ^ Time at distros (UTC) \\ ... oss-security (UTC) \\ Elsewhere (UTC) ^ Embargo days ^ Planned CRD(s) \\ (exact wording) ^ CVE(s) ^
+| Linux | [vs-plain] Warning in bpf_probe_read_user \\ [[https://www.openwall.com/lists/oss-security/2023/11/05/5|[oss-security] Linux: BPF: issues with copy_from_user_nofault()]] \\ [[https://lore.kernel.org/bpf/20230118051443.78988-1-alexei.starovoitov@gmail.com/]] | Mon Jan 02 17:33:21 2023 \\ Sun Nov 05 22:44:05 2023 \\ Wed Jan 18 05:14:51 2023 | 307.22 \\ 15.49 | 1/9 \\ 1/12 \\ "tomorrow or so" after June 27 |  |
+| Cargo | [vs-plain] CVE-2022-46176: Cargo does not check SSH host keys \\ [[https://www.openwall.com/lists/oss-security/2023/01/10/3|[oss-security] CVE-2022-46176: Cargo does not check SSH host keys]] | Thu Jan 05 16:48:35 2023 \\ Tue Jan 10 16:58:09 2023 | 5.01 | 2023-01-10 at 16:30 UTC | CVE-2022-46176 |
+| libgit2 | [vs-plain] CVE-2022-46176: Cargo does not check SSH host keys \\ [[https://www.openwall.com/lists/oss-security/2023/11/05/6|Re: [oss-security] CVE-2022-46176: Cargo does not check SSH host keys]] | Thu Jan 05 16:48:35 2023 \\ Sun Nov 05 23:08:43 2023 | 304.26 | 2023-01-10 |  |
+| X.Org libXpm | [vs-plain] Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 \\ [[https://www.openwall.com/lists/oss-security/2023/01/17/2|[oss-security] Fwd: X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15]] | Tue Jan 10 18:12:35 2023 \\ Tue Jan 17 16:48:05 2023 | 6.94 | January 17 | CVE-2022-46285 \\ CVE-2022-44617 \\ CVE-2022-4883 |
+| git | [vs-plain] Upcoming Git security fix release \\ [[https://www.openwall.com/lists/oss-security/2023/01/17/4|[oss-security] Git 2.39.1 and friends]] | Tue Jan 10 23:08:20 2023 \\ Tue Jan 17 18:11:20 2023 | 6.79 | 2023-JAN-17 at around 10am Pacific Time | CVE-2022-23521 \\ CVE-2022-41903 |
+| OpenStack | [vs] Vulnerability in OpenStack Swift (CVE-2022-47950) \\ [[https://www.openwall.com/lists/oss-security/2023/01/17/1|[oss-security] [OSSA-2023-001] Swift: Arbitrary file access through custom S3 XML entities (CVE-2022-47950)]] | Wed Jan 11 00:35:07 2023 \\ Tue Jan 17 16:01:28 2023 | 6.64 | 2023-01-17, 1500UTC | CVE-2022-47950 |
+| Linux | [vs-plain] Netfilter vulnerability disclosure \\ [[https://www.openwall.com/lists/oss-security/2023/01/13/2|[oss-security] CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup]] \\ [[https://groups.google.com/g/syzkaller/c/YRNDJBsJn_s]] | Wed Jan 11 01:26:07 2023 \\ Fri Jan 13 16:16:16 2023 \\ Wed Jan 11 14:13:59 2023 | 2.62 \\ 0.53 | 7-day embargo | CVE-2023-0179 |
+| sudo | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2023/01/19/1|[oss-security] CVE-2023-22809: Sudoedit can edit arbitrary files]] | Thu Jan 12 14:17:36 2023 \\ Thu Jan 19 07:30:23 2023 | 6.72 | Wednesday 18th January \\ 15:00 UTC | CVE-2023-22809 |
+| PowerDNS Recursor | [vs] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination \\ [[https://www.openwall.com/lists/oss-security/2023/01/20/1|[oss-security] Security Advisory 2023-01 for PowerDNS Recursor 4.8.0 (CVE-2023-22617)]] | Fri Jan 13 11:17:56 2023 \\ Fri Jan 20 12:34:24 2023 | 7.05 | 20th of January 2023 | CVE-2023-22617 |
+| Linux | [vs-plain] null pointer dereference in Linux kernel \\ [[https://www.openwall.com/lists/oss-security/2023/01/18/2|[oss-security] null pointer dereference in Linux kernel]] \\ [[https://lore.kernel.org/netdev/Y7s%2FFofVXLwoVgWt@westworld/]] | Sun Jan 15 05:13:23 2023 \\ Wed Jan 18 08:32:11 2023 \\ Sun Jan 08 22:09:37 2023 | 3.14 \\ -6.29 | in a week (Jan 21st) \\ Tuesday, January 17 | CVE-2023-0394 |
+| OpenStack | [vs] Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951) \\ [[https://www.openwall.com/lists/oss-security/2023/01/24/2|[oss-security] [OSSA-2023-002] Cinder, Glance, Nova: Arbitrary file access through custom VMDK flat descriptor (CVE-2022-47951)]] | Tue Jan 17 21:53:18 2023 \\ Tue Jan 24 16:08:35 2023 | 6.76 | 2023-01-24, 1500UTC | CVE-2022-47951 |
+| BIND 9 | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2023/01/25/2|[oss-security] ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924)]] | Tue Jan 24 11:59:13 2023 \\ Wed Jan 25 17:17:31 2023 | 1.22 | 25 January 2023 | CVE-2022-3094 \\ CVE-2022-3736 \\ CVE-2022-3924 |
+| OpenSSL | [vs-plain] Embargoed OpenSSL security issues \\ [[https://www.openwall.com/lists/oss-security/2023/02/07/8|[oss-security] Fwd: OpenSSL Security Advisory]] | Wed Jan 25 12:02:11 2023 \\ Tue Feb 07 19:29:21 2023 | 13.31 | 7th February 2023 |  |
+| pesign | [vs-plain] pesign: Local privilege escalation on pesign systemd service \\ [[https://www.openwall.com/lists/oss-security/2023/01/31/6|[oss-security] pesign: Local privilege escalation on pesign systemd service]] | Fri Jan 27 20:45:41 2023 \\ Tue Jan 31 17:40:43 2023 | 3.87 | Jan 31st \\ 15 UTC | CVE-2022-3560 |
+| X.Org Server | [vs-plain] Preview of X.Org Security Advisory for 2023-02-07 \\ [[https://www.openwall.com/lists/oss-security/2023/02/07/1|[oss-security] X.Org Security Advisory: Security issue in the X server]] | Mon Jan 30 22:33:46 2023 \\ Tue Feb 07 01:37:48 2023 | 7.13 | 2023-02-07 at 01:00 UTC | CVE-2023-0494 \\ ZDI-CAN-19596 |
+| heimdal, samba | [vs-plain] [vc] heimdal: CVE-2022-45142: signature validation failure \\ [[https://www.openwall.com/lists/oss-security/2023/02/08/1|[oss-security] [vs] heimdal: CVE-2022-45142: signature validation failure]] | Tue Jan 31 13:52:38 2023 \\ Wed Feb 08 06:50:02 2023 | 7.71 | 2023-02-08 | CVE-2022-3437 |
+| less | [vs-plain] less CVE-2022-46663 \\ [[https://www.openwall.com/lists/oss-security/2023/02/07/7|[oss-security] CVE-2022-46663: less -R filtering bypass]] \\ [[https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c]] | Wed Feb 01 06:35:37 2023 \\ Tue Feb 07 19:26:58 2023 \\ Sat Oct 08 02:25:00 2022 | 6.54 \\ -116.17 | Tuesday; 09:00 UTC, 2023-02-07 | CVE-2022-46663 |
+| curl | [vs-plain] curl: CVE-2023-23914: HSTS ignored on multiple requests (1/3) \\ [[https://www.openwall.com/lists/oss-security/2023/02/15/1|[oss-security] curl: CVE-2023-23914: HSTS ignored on multiple requests]] \\ [[https://github.com/curl/curl/pull/10138]] | Tue Feb 07 09:36:32 2023 \\ Wed Feb 15 07:29:04 2023 \\ Thu Dec 22 15:14:00 2022 | 7.91 \\ -46.77 | Febrary 15th | CVE-2023-23914 |
+| curl | [vs-plain] curl: CVE-2023-23915: HSTS amnesia with --parallel (2/3) \\ [[https://www.openwall.com/lists/oss-security/2023/02/15/2|[oss-security] curl: CVE-2023-23915: HSTS amnesia with --parallel]] | Tue Feb 07 09:36:35 2023 \\ Wed Feb 15 07:29:08 2023 | 7.91 | Febrary 15th | CVE-2023-23915 |
+| curl | [vs-plain] curl: CVE-2023-23916: HTTP multi-header compression denial of service (3/3) \\ [[https://www.openwall.com/lists/oss-security/2023/02/15/3|[oss-security] curl: CVE-2023-23916: HTTP multi-header compression denial of service]] | Tue Feb 07 09:37:31 2023 \\ Wed Feb 15 07:29:11 2023 | 7.91 | Febrary 15th | CVE-2023-23916 |
+| git | [vs-plain] Upcoming Git security fix release \\ [[https://www.openwall.com/lists/oss-security/2023/02/14/5|[oss-security] [Announce] Git 2.39.2 and friends]] | Tue Feb 07 16:47:06 2023 \\ Tue Feb 14 18:09:06 2023 | 7.06 | 2023-FEB-14 at 10am Pacific Time | CVE-2023-22490 \\ CVE-2023-23946 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/01/17/3|[oss-security] Linux Kernel: hid: type confusions on hid report_list entry]] \\ [[https://lore.kernel.org/all/20230114-hid-fix-emmpty-report-list-v1-0-e4d02fad3ba5@diag.uniroma1.it/T/]] | Wed Feb 22 17:24:49 2023 \\ Tue Jan 17 17:13:45 2023 \\ Mon Jan 16 11:12:09 2023 | -36.01 \\ -37.26 |  | CVE-2023-1073 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/01/18/3|[oss-security] Linux Kernel: hid: NULL pointer dereference in hid_betopff_play()]] \\ [[https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3782c0d6edf658b71354a64d60aa7a296188fc90]] | Wed Feb 22 17:24:49 2023 \\ Wed Jan 18 16:18:17 2023 \\ Wed Jan 18 15:34:35 2023 | -35.05 \\ -35.08 |  | CVE-2023-1073 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/01/23/1|[oss-security] Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill()]] \\ [[https://lore.kernel.org/linux-sctp/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner%40gmail.com/T/]] | Wed Feb 22 17:24:49 2023 \\ Mon Jan 23 18:55:36 2023 \\ Mon Jan 23 18:00:06 2023 | -29.94 \\ -29.98 |  | CVE-2023-1074 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/03/01/6|[oss-security] CVE-2023-1075 - Linux Kernel: Type Confusion in tls_is_tx_ready()]] \\ [[https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb]] | Wed Feb 22 17:24:49 2023 \\ Wed Mar 01 15:48:25 2023 \\ Tue Jan 31 05:06:08 2023 | 6.93 \\ -22.51 |  | CVE-2023-1075 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/03/01/5|[oss-security] CVE-2023-1076: Linux Kernel: Type Confusion hardcodes tuntap socket UID to root]] \\ [[https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff]] | Wed Feb 22 17:24:49 2023 \\ Wed Mar 01 15:48:17 2023 \\ Mon Feb 06 10:16:55 2023 | 6.93 \\ -16.30 |  | CVE-2023-1076 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/03/01/7|[oss-security] CVE-2023-1077: Linux kernel: Type confusion in pick_next_rt_entity()]] \\ [[https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7c4a5b89a0b5a57a64b601775b296abf77a9fe97]] | Wed Feb 22 17:24:49 2023 \\ Wed Mar 01 15:48:27 2023 \\ Sat Feb 11 10:18:10 2023 | 6.93 \\ -11.30 |  | CVE-2023-1077 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/11/05/1|[oss-security] CVE-2023-1078: Linux: rds_rm_zerocopy_callback() bugs]] \\ [[https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d]] | Wed Feb 22 17:24:49 2023 \\ Sun Nov 05 17:32:17 2023 \\ Thu Feb 09 09:37:26 2023 | 256.01 \\ -13.32 |  | CVE-2023-1078 |
+| Linux | [vs-plain] CVE Request \\ [[https://www.openwall.com/lists/oss-security/2023/03/01/4|[oss-security] CVE-2023-1079: Linux Kernel: Use-After-Free in asus_kbd_backlight_set()]] \\ [[https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4ab3a086d10eeec1424f2e8a968827a6336203df]] | Wed Feb 22 17:24:49 2023 \\ Wed Mar 01 15:48:11 2023 \\ Wed Feb 15 17:20:56 2023 | 6.93 \\ -7.00 |  | CVE-2023-1079 |
+| sudo | [vs] sudo: double free with per-command chroot sudoers rules \\ [[https://www.openwall.com/lists/oss-security/2023/02/28/1|[oss-security] sudo: double free with per-command chroot sudoers rules]] \\ [[https://www.sudo.ws/pipermail/sudo-announce/2023-February/000206.html]] | Wed Feb 22 22:12:30 2023 \\ Tue Feb 28 14:33:57 2023 \\ Mon Feb 27 16:16:34 2023 | 5.68 \\ 4.75 | maybe Monday next week |  |
 | Linux | [vs-plain] A double free vulnerability was found in the hci_conn_cleanup function of the Bluetooth subsystem \\ [[https://www.openwall.com/lists/oss-security/2023/03/28/2|[oss-security] CVE-2023-28464: Linux: Bluetooth: hci_conn_cleanup function has double free]] \\ [[https://lore.kernel.org/lkml/20230309074645.74309-1-wzhmmmmm@gmail.com/]] | Wed Mar 08 10:06:04 2023 \\ Tue Mar 28 11:18:01 2023 \\ Thu Mar 09 07:49:39 2023 | 20.05 \\ 0.91 | March 28 \\ 2023-03-28T10:05:42+00:00 | CVE-2023-28464 |
 | Linux | [vs-plain] Reporting a USB-accessible slab-out-of-bounds read in brcmfmac \\ [[https://www.openwall.com/lists/oss-security/2023/03/13/1|[oss-security] A USB-accessible slab-out-of-bounds read in Linux kernel driver]] \\ [[https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr/]] | Thu Mar 09 11:24:15 2023 \\ Mon Mar 13 13:03:07 2023 \\ Thu Mar 09 10:45:59 2023 | 4.07 \\ -0.03 |  | CVE-2023-1380 |
@@ Line 75: / Line 117: @@
 | open-vm-tools | [vs-plain] SAML Bypass in VMware Tools CVE-2023-34058 \\ [[https://www.openwall.com/lists/oss-security/2023/10/27/1|[oss-security] CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools]] | Thu Oct 19 18:43:23 2023 \\ Fri Oct 27 08:36:14 2023 | 7.58 | October 26th, 2023 | CVE-2023-34058 |
 | open-vm-tools | [vs-plain] file descriptor hijack in VMware Tools CVE-2023-34059 \\ [[https://www.openwall.com/lists/oss-security/2023/10/27/2|[oss-security] CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools]] | Thu Oct 19 18:43:46 2023 \\ Fri Oct 27 08:36:17 2023 | 7.58 | October 26th, 2023 | CVE-2023-34059 |
+| Intel CPUs | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2023/11/14/4|[oss-security] CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar)]] | Thu Nov 09 23:51:52 2023 \\ Tue Nov 14 18:36:44 2023 | 4.78 | November 14th, 10 am Pacific Time | CVE-2023-23583 |
+| curl | [vs-plain] : curl pre-notification: CVE-2023-46218 (1/2) \\ [[https://www.openwall.com/lists/oss-security/2023/12/06/1|[oss-security] [SECURITY ADVISORY] curl: cookie mixed case PSL bypass]] \\ [[https://github.com/curl/curl/pull/12387]] | Tue Nov 28 07:04:22 2023 \\ Wed Dec 06 07:29:18 2023 \\ Thu Nov 23 07:16:00 2023 | 8.02 \\ -4.99 | 07:00 UTC on December 6 | CVE-2023-46218 |
+| curl | [vs-plain] : curl pre-notification: CVE-2023-46219 (2/2) \\ [[https://www.openwall.com/lists/oss-security/2023/12/06/2|[oss-security] [SECURITY ADVISORY] curl: HSTS long file name clears contents]] \\ [[https://github.com/curl/curl/pull/12388]] | Tue Nov 28 07:04:40 2023 \\ Wed Dec 06 07:29:58 2023 \\ Thu Nov 23 07:24:00 2023 | 8.02 \\ -4.99 | 07:00 UTC on December 6 | CVE-2023-46219 |
+| X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland \\ [[https://www.openwall.com/lists/oss-security/2023/12/13/1|[oss-security] FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3]] \\ [[https://lists.x.org/archives/xorg-announce/2023-December/003435.html]] | Tue Dec 05 21:17:38 2023 \\ Wed Dec 13 13:03:51 2023 \\ Wed Dec 13 02:02:10 2023 | 7.66 \\ 7.20 | December 13, 2023 00:00 UTC | CVE-2023-6377 \\ CVE-2023-6478 \\ ZDI-CAN-22412 \\ ZDI-CAN-22413 \\ ZDI-CAN-22561 |
+| SSH protocol | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2023/12/18/3|[oss-security] CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)]] \\ [[https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ]] | Mon Dec 11 15:40:29 2023 \\ Mon Dec 18 16:47:26 2023 \\ Tue Dec 12 20:56:36 2023 | 7.05 \\ 1.22 | 18th of December 2023 15:00 UTC | CVE-2023-48795 |
+| Debian cpio | [vs-plain] Security vulnerability in Debian's cpio 2.13 \\ [[https://www.openwall.com/lists/oss-security/2023/12/21/8|[oss-security] Security vulnerability in Debian's cpio 2.13]] \\ [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163]] | Sun Dec 17 15:50:53 2023 \\ Thu Dec 21 16:50:17 2023 \\ Wed Dec 20 19:03:02 2023 | 4.04 \\ 3.13 | 2023-12-27 |  |
+| xarchiver | [vs-plain] xarchiver: Path traversal with crafted cpio archives \\ [[https://www.openwall.com/lists/oss-security/2023/12/27/1|[oss-security] xarchiver: Path traversal with crafted cpio archives]] | Sun Dec 17 15:50:53 2023 \\ Wed Dec 27 13:42:05 2023 | 9.91 | 2023-12-27 |  |
-==== Extra data for prior months not included in statistics ====
+===== Source input data =====
-The data here is unfortunately incomplete and unreliable, resulting from automated processing of input that wasn't meant to be fully machine-readable.
+These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with {{stats-process.txt|this Perl script}} to produce the tables above. You should be able to reproduce that.
-^Project^Subject^Reported^Coordinated Release Date^Time of oss-security posting^CVE(s)^Days embargoed (scheduled)^Days embargoed (oss-security)^
+  * {{stats-202301.txt}}
-^   February   ^^^^^^^^
+  * {{stats-202302.txt}}
-| |less CVE-2022-46663|2023-02-01T06:55:51+00:00|2023-02-08T06:55:51+00:00|[[https://marc.info/?i=CAP9KPhB7PqqFt%3DOf8%2B6CKiaV%3D%2Bp%3DWwYOjG3QF3TEBDDop1125g%40mail.gmail.com|2023-02-07T18:49:47+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-46663|CVE-2022-46663]]|7.00|6.46|
+  * {{stats-202303.txt}}
-^   January   ^^^^^^^^
+  * {{stats-202304.txt}}
-| |Preview of X.Org Security Advisory for 2023-02-07|2023-01-30T22:33:32+00:00|2023-02-06T22:33:32+00:00|[[https://marc.info/?i=9afca616-11f3-ac36-4d5f-918487e1a756%40redhat.com|2023-02-07T01:36:35+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-0494|CVE-2022-0494]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0494|CVE-2023-0494]]|7.00|7.12|
+  * {{stats-202305.txt}}
-| |pesign: Local privilege escalation on pesign systemd service|2023-01-27T20:44:55+00:00|2023-02-03T20:44:55+00:00|[[https://marc.info/?i=CAOGQQ29pYOHP2puP-nAzO%2BQnbc-OouwnVFpQVY_%3DOvVo12%3DMkw%40mail.gmail.com|2023-01-31T15:59:19+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-3560|CVE-2022-3560]]|7.00|3.79|
+  * {{stats-202306.txt}}
-| |Embargoed OpenSSL security issues|2023-01-25T12:02:01+00:00|2023-02-07T00:00:00+00:00|[[https://marc.info/?i=CAPCCXc9UR7FmvkEvyy2_H%3Dh4Y8cSMtJC7i8FsypBQye_FXp5GA%40mail.gmail.com|2023-02-07T19:28:51+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-4203|CVE-2022-4203]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-4304|CVE-2022-4304]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-4450|CVE-2022-4450]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0215|CVE-2023-0215]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0216|CVE-2023-0216]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0217|CVE-2023-0217]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0286|CVE-2023-0286]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0401|CVE-2023-0401]]|12.46|13.29|
+  * {{stats-202307.txt}}
-| |...|2023-01-24T11:58:47+00:00|2023-01-31T11:58:47+00:00|[[https://marc.info/?i=Y9FhZ0vKzTx4WTCH%40larwa.hq.kempniu.pl|2023-01-25T17:05:43+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-3094|CVE-2022-3094]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-3736|CVE-2022-3736]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-3924|CVE-2022-3924]]|7.00|1.21|
+  * {{stats-202308.txt}}
-| |Re: Vulnerability in OpenStack Cinder, Glance, Nova (CVE-2022-47951)|2023-01-17T21:53:09+00:00|2023-01-24T21:53:09+00:00|[[https://marc.info/?i=20230124160818.wlaspet7jsmths2p%40yuggoth.org|2023-01-24T16:08:18+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-47951|CVE-2022-47951]]|7.00|6.75|
+  * {{stats-202309.txt}}
-| |null pointer dereference in Linux kernel|2023-01-15T05:12:43+00:00|2023-01-22T05:12:43+00:00|[[https://marc.info/?i=CADW8OBuhuCTq-MvcFuAxOc6pWrkmOd-mwV9yasNRfbnD9s85-g%40mail.gmail.com|2023-01-18T20:26:46+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2023-0394|CVE-2023-0394]]|7.00|3.62|
+  * {{stats-202310.txt}}
-| |Re: PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2023-01: PowerDNS Recursor 4.8.0 unbounded recursion results in program termination|2023-01-13T11:17:46+00:00|2023-01-20T11:17:46+00:00|[[https://marc.info/?i=1295588158.7348.1674217183817%40appsuite-guard.open-xchange.com|2023-01-20T12:19:43+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2023-22617|CVE-2023-22617]]|7.00|7.04|
+  * {{stats-202311.txt}}
-| |Re: Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15|2023-01-12T23:41:22+00:00|2023-01-19T23:41:22+00:00|[[https://marc.info/?i=7b3fdf01-8189-567d-bf15-ba8478eaba79%40oracle.com|2023-01-17T16:47:45+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-4883|CVE-2022-4883]]|7.00|4.71|
+  * {{stats-202312.txt}}
-| |...|2023-01-12T14:17:07+00:00|2023-01-19T14:17:07+00:00|[[https://marc.info/?i=CAE-GootkXskaRKTmdPg1KsL3cm2oPq8DtL14MoupwX_CaVDeXw%40mail.gmail.com|2023-01-19T00:33:43+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2023-22809|CVE-2023-22809]]|7.00|6.42|
-| |Netfilter vulnerability disclosure|2023-01-11T01:26:17+00:00|2023-01-18T01:26:17+00:00|[[https://marc.info/?i=CAHH-0UfWddrL_x9n1eG1oJ6iurew7D6Yb%3Dz%3D068BfV7uJGSRGw%40mail.gmail.com|2023-01-13T15:22:47+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-1015|CVE-2022-1015]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2023-0179|CVE-2023-0179]]|7.00|2.54|
-| |Re: Vulnerability in OpenStack Swift (CVE-2022-47950)|2023-01-11T00:35:00+00:00|2023-01-18T00:35:00+00:00|[[https://marc.info/?i=20230117160111.htaewnl2wmuqlgq7%40yuggoth.org|2023-01-17T16:01:11+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-47950|CVE-2022-47950]]|7.00|6.62|
-| |Upcoming Git security fix release|2023-01-10T23:08:02+00:00|2023-01-17T23:08:02+00:00|[[https://marc.info/?i=xmqqfscit2ct.fsf%40gitster.g|2023-01-17T18:06:10+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-23521|CVE-2022-23521]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-41903|CVE-2022-41903]]|7.00|6.75|
-| |Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15|2023-01-10T18:12:18+00:00|2023-01-17T18:12:18+00:00|[[https://marc.info/?i=7b3fdf01-8189-567d-bf15-ba8478eaba79%40oracle.com|2023-01-17T16:47:45+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-44617|CVE-2022-44617]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-46285|CVE-2022-46285]]\\ [[https://nvd.nist.gov/vuln/detail/CVE-2022-4883|CVE-2022-4883]]|7.00|6.92|
-| |Re: CVE-2022-46176: Cargo does not check SSH host keys|2023-01-05T16:48:13+00:00|2023-01-12T16:48:13+00:00|[[https://marc.info/?i=0c602545-dfad-4d49-beaa-b5094b343af8%40app.fastmail.com|2023-01-10T16:45:06+00:00]]|[[https://nvd.nist.gov/vuln/detail/CVE-2022-46176|CVE-2022-46176]]|7.00|4.96|