Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2024-01 | 9 | 9 | 9.18 | 8.79 | 1.09 | 14.12 |
| 2024-02 | 6 | 6 | 2.13 | 1.33 | 0.77 | 6.96 |
| 2024-03 | 9 | 9 | 7.23 | 7.97 | 1.15 | 12.53 |
| 2024-04 | 4 | 3 | 7.83 | 7.45 | 2.03 | 14.00 |
| 2024-05 | 3 | 3 | 4.05 | 5.05 | 1.07 | 6.04 |
| 2024-06 | 6 | 6 | 7.84 | 9.31 | 1.53 | 12.49 |
| 2024-07 | 5 | 5 | 5.08 | 6.84 | 0.90 | 8.37 |
| 2024-08 | 2 | 2 | 11.15 | 11.15 | 7.93 | 14.37 |
| 2024-09 | 5 | 5 | 6.22 | 7.20 | 0.44 | 9.15 |
| 2024-10 | 3 | 3 | 6.97 | 7.37 | 5.63 | 7.90 |
| Total | 52 | 51 | 6.72 | 7.20 | 0.44 | 14.37 |
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2024 so far only occurred once) are excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| Mock | [vs-plain] Mock: Privilege escalation for users that can access mock configuration [oss-security] CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration | Mon Jan 08 20:42:02 2024 Tue Jan 16 14:37:14 2024 | 7.75 | January 16th 2024 at 1 PM UTC | CVE-2023-6395 |
| Mock, Snap | Re: [vs-plain] Mock: Privilege escalation for users that can access mock configuration [oss-security] Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host | Mon Jan 08 21:24:02 2024 Tue Jan 16 20:35:56 2024 | 7.97 | January 16 | |
| X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland [oss-security] Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4 https://lists.x.org/archives/xorg-announce/2024-January/003444.html | Tue Jan 09 07:12:50 2024 Thu Jan 18 09:21:40 2024 Tue Jan 16 14:24:36 2024 | 9.09 7.30 | January 16, 2024 00:00 UTC | CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0409 CVE-2024-0408 |
| Linux PAM pam_namespace | [vs] encrypted subject [oss-security] pam: pam_namespace misses O_DIRECTORY flag in `protect_dir()` (CVE-2024-22365) https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0 | Tue Jan 09 14:49:28 2024 Thu Jan 18 09:48:33 2024 Wed Jan 17 15:17:00 2024 | 8.79 8.02 | 2024-01-17 | CVE-2024-22365 |
| glibc | [vs] CVE-2023-6246, CVE-2023-6779, CVE-2023-6780 [oss-security] CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() | Tue Jan 16 15:39:22 2024 Tue Jan 30 18:29:25 2024 | 14.12 | Tuesday, January 30, 2024, 18:00 UTC | CVE-2023-6246 CVE-2023-6779 CVE-2023-6780 |
| glibc | [vs] Second advisory [oss-security] Out-of-bounds read & write in the glibc's qsort() | Tue Jan 16 16:02:18 2024 Tue Jan 30 18:37:31 2024 | 14.11 | Tuesday, January 30, 2024, 18:00 UTC | |
| coreutils | [vs] … [oss-security] GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9 | Wed Jan 17 07:18:25 2024 Thu Jan 18 09:22:16 2024 Wed Jan 17 20:19:00 2024 | 1.09 0.54 | CVE-2024-0684 | |
| curl | [vs-plain] : curl pre-notification: CVE-2024-0853: OCSP verification bypass with TLS session reuse [oss-security] [SECURITY ADVISORY] curl: CVE-2024-0853 : OCSP verification bypass with TLS session reuse https://github.com/curl/curl/commit/c28e9478cb2548848ec | Wed Jan 24 09:26:59 2024 Wed Jan 31 07:10:04 2024 Tue Jan 23 07:26:00 2024 | 6.90 -1.08 | January 31 2024 around 07:00 UTC | CVE-2024-0853 |
| grub2-set-bootflag | [vs] grub-set-bootflag [oss-security] CVE-2024-1048: grub2-set-bootflag may be abused to fill up /boot, bypass RLIMIT_NPROC | Wed Jan 24 22:07:37 2024 Tue Feb 06 17:01:28 2024 | 12.79 | January 31 Feb 6th | CVE-2024-1048 |
| Open vSwitch | [vs-plain] [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. [oss-security] [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. | Thu Feb 01 21:07:08 2024 Thu Feb 08 20:13:41 2024 | 6.96 | 08-Feb-2024 | CVE-2023-3966 |
| Unbound | [vs] … [oss-security] Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities | Mon Feb 12 08:50:19 2024 Tue Feb 13 14:23:55 2024 | 1.23 | “not before 12:00 UTC” on 13 February 2024 | CVE-2023-50387 CVE-2023-50868 |
| PowerDNS Recursor | [vs-plain] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor Re: [oss-security] Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities https://github.com/PowerDNS/pdns/pull/13781 | Mon Feb 12 11:31:30 2024 Tue Feb 13 21:49:40 2024 Tue Feb 13 12:01:00 2024 | 1.43 1.02 | 13th of February 2024 | CVE-2023-50387 CVE-2023-50868 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed six vulnerabilities in BIND 9 (CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868) | Mon Feb 12 15:34:41 2024 Tue Feb 13 14:23:37 2024 | 0.95 | 13 February 2024 | CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516 CVE-2023-50387 CVE-2023-50868 |
| EDK2 based Virtual Machine firmware | [vs-plain] Secure Boot bypass in EDK2 based Virtual Machine firmware [oss-security] Secure Boot bypass in EDK2 based Virtual Machine firmware | Tue Feb 13 03:44:41 2024 Wed Feb 14 14:48:15 2024 | 1.46 | February 14th 2024 at 13:00 UTC+0 | CVE-2023-48733 CVE-2023-49721 |
| c-ares | [vs-plain] c-ares security vuln [oss-security] c-ares CVE-2024-25629 | Thu Feb 22 18:12:49 2024 Fri Feb 23 12:40:51 2024 | 0.77 | 2/23/2024 | CVE-2024-25629 |
| Open Virtual Network | [vs-plain] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. [oss-security] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. | Tue Mar 05 16:01:37 2024 Tue Mar 12 14:13:02 2024 | 6.92 | 12-Mar-2024 | CVE-2024-2182 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2004: Usage of disabled protocol [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol | Tue Mar 19 07:38:44 2024 Wed Mar 27 06:53:23 2024 | 7.97 | March 27 | CVE-2024-2004 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2379: QUIC certificate check bypass with wolfSSL [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL | Tue Mar 19 07:38:49 2024 Wed Mar 27 06:53:29 2024 | 7.97 | March 27 | CVE-2024-2379 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2398: HTTP/2 push headers memory-leak [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak | Tue Mar 19 07:38:56 2024 Wed Mar 27 06:53:34 2024 | 7.97 | March 27 | CVE-2024-2398 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2466: TLS certificate check bypass with mbedTLS [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS | Tue Mar 19 07:39:03 2024 Wed Mar 27 06:53:36 2024 | 7.97 | March 27 | CVE-2024-2466 |
| util-linux | [vs-plain] ANSI Escape sequence injection in wall (CVE-2024-28085) [oss-security] CVE-2024-28085: Escape sequence injection in util-linux wall | Wed Mar 20 18:40:50 2024 Wed Mar 27 15:11:25 2024 | 6.85 | March 27 | |
| xz | [vs] Easter Eggs [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise | Thu Mar 28 12:23:26 2024 Fri Mar 29 16:03:34 2024 | 1.15 | tomorrow | CVE-2024-3094 |
| X.Org X server, Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in X servers [oss-security] Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | Fri Mar 29 01:29:54 2024 Wed Apr 03 18:47:44 2024 Tue Mar 12 20:38:02 2024 | 5.72 -16.20 | April 3, 2024 | CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 |
| Linux | [vs-plain] Skbuff null ptr derefence 0day potential LPE [oss-security] CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660 | Fri Mar 29 10:14:05 2024 Wed Apr 10 22:51:45 2024 Sat Jan 20 21:50:04 2024 | 12.53 -68.52 | CVE-2024-1086 | |
| glibc | [vs] … [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence | Wed Apr 03 17:43:55 2024 Wed Apr 17 17:43:39 2024 | 14.00 | April 17th | CVE-2024-2961 |
| PuTTY | [vs] CVE-2024-31497 [oss-security] CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client | Mon Apr 08 08:58:06 2024 Mon Apr 15 19:43:58 2024 | 7.45 | 15.04.2024 19:00 UTC | CVE-2024-31497 |
| Linux | [vs-plain] Zero day local root exploit with Ubuntu 22.04 HWE / Debian 12 and possible Fedora [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? | Thu Apr 11 21:10:42 2024 Wed Apr 10 19:57:32 2024 | -1.05 | ||
| PowerDNS | [vs-plain] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor [oss-security] PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor | Mon Apr 22 10:42:29 2024 Wed Apr 24 11:29:14 2024 | 2.03 | 24th of April 2024 We aim for 11:00 UTC | CVE-2024-25583 |
| aiohttp | [vs] CVE-2024-30251 [oss-security] CVE-2024-30251: DoS in aiohttp https://github.com/aio-libs/aiohttp/pull/8280 | Wed May 01 12:35:21 2024 Thu May 02 14:09:20 2024 Mon Apr 01 13:55:00 2024 | 1.07 -29.94 | a 1 day embargo | CVE-2024-30251 |
| PowerDNS DNSdist | [vs] … [oss-security] PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist | Tue May 07 09:18:23 2024 Mon May 13 10:18:09 2024 | 6.04 | 13th of May 2024 expect to release at 10:00 UTC | CVE-2024-25581 |
| Git | [vs-plain] Upcoming Git security fix release [oss-security] git: 5 vulnerabilities fixed | Thu May 09 18:29:53 2024 Tue May 14 19:34:50 2024 | 5.05 | May 14th, 2024 at 10am Pacific Time or soon thereafter | CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465 |
| CUPS | [vs-plain] EMBARGOED CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 [oss-security] CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 | Mon Jun 03 18:44:21 2024 Tue Jun 11 14:10:50 2024 | 7.81 | June 11th 14:00 UTC | CVE-2024-35235 |
| OpenSSH | [vs] Qualys Security Advisory (CRD: Monday, July 1) [oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems | Thu Jun 20 13:27:07 2024 Mon Jul 01 08:40:29 2024 | 10.80 | Monday, July 1 Something like 08:00UTC | CVE-2024-6387 |
| OpenSSH | Re: [vs] Qualys Security Advisory (CRD: Monday, July 1) Re: [oss-security] CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems | Wed Jun 26 04:32:49 2024 Mon Jul 08 16:21:30 2024 | 12.49 | Monday, July 8 | CVE-2024-6409 |
| Emacs Org mode | [vs-plain] Arbitrary shell command evaluation in Org mode (GNU Emacs) [oss-security] Arbitrary shell command evaluation in Org mode (GNU Emacs) | Thu Jun 20 15:11:50 2024 Sun Jun 23 09:04:55 2024 | 2.75 | Jun 21, 4pm UTC postpone the releases to tomorrow (Saturday, Jun 22), same time (4pm UTC) | |
| OpenStack | [vs] Vulnerability in OpenStack Cinder, Glance and Nova (CVE-2024-32498) [oss-security] [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498) | Thu Jun 20 23:45:22 2024 Tue Jul 02 15:01:32 2024 | 11.64 | 2024-06-27, 1500UTC 15:00 UTC Tuesday 2024-07-02 | CVE-2024-32498 |
| Linux | [vs-plain] stack-out-of-bounds Read in profile_pc [oss-security] Linux non-security almost non-issue: stack-out-of-bounds Read in profile_pc https://lore.kernel.org/all/CAK55_s7Xyq=nh97=K=G1sxueOFrJDAvPOJAL4TPTCAYvmxO9_A@mail.gmail.com/ | Fri Jun 28 08:05:23 2024 Sat Jun 29 20:50:28 2024 Mon Mar 25 01:17:35 2024 | 1.53 -95.28 | ||
| curl | [vs-plain] : curl: CVE-2024-6197: freeing stack buffer in utf8asn1str [oss-security] [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str https://github.com/curl/curl/commit/3a537a4db9e65e545 | Mon Jul 15 21:37:52 2024 Wed Jul 24 06:34:48 2024 Fri Jun 28 12:45:00 2024 | 8.37 -17.37 | July 24 | CVE-2024-6197 |
| BIND 9 | [vs] Four BIND 9 vulnerabilities will be announced on 17 July 2024 [oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) | Tue Jul 16 11:25:45 2024 Tue Jul 23 14:56:25 2024 | 7.15 | 17 July 2024 2024-07-23 (next Tuesday) | CVE-2024-0760 CVE-2024-1737 CVE-2024-1975 CVE-2024-4076 |
| OpenStack Nova | [vs] Vulnerability in OpenStack Nova (CVE-2024-40767) [oss-security] [OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767) | Tue Jul 16 18:46:20 2024 Tue Jul 23 15:00:30 2024 | 6.84 | 2024-07-23, 1500UTC | CVE-2024-40767 |
| Linux | [vs] linux kernel: virtio-net host dos [oss-security] inux kernel: virtio-net host dos | Mon Jul 22 13:35:56 2024 Wed Jul 24 17:24:03 2024 | 2.16 | 2024-07-24 17:00 UTC | CVE-2024-41090 CVE-2024-41091 |
| curl | [vs-plain] : curl: CVE-2024-7264: ASN.1 date parser overread [oss-security] [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread | Tue Jul 30 09:41:07 2024 Wed Jul 31 07:19:57 2024 | 0.90 | July 31st | CVE-2024-7264 |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issue [oss-security] CVE-2024-6119: OpenSSL: Possible denial of service in X.509 name checks | Tue Aug 20 07:18:05 2024 Tue Sep 03 16:15:38 2024 | 14.37 | 3rd September 2024 | CVE-2024-6119 |
| OpenStack Ironic | [vs] Vulnerability in OpenStack Ironic (CVE-2024-44082) [oss-security] [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082) | Tue Aug 27 19:10:17 2024 Wed Sep 04 17:30:24 2024 | 7.93 | Wednesday, 2024-09-04, 1600UTC | CVE-2024-44082 |
| Linux | [vs-plain] Bug report: Memory leak in opal_event_init [oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() | Mon Sep 02 02:16:48 2024 Mon Sep 02 12:53:53 2024 | 0.44 | ||
| curl | [vs-plain] : curl prenotify CVE-2024-8096: OCSP stapling bypass [oss-security] [SECURITY ADVISORY] curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS https://github.com/curl/curl/commit/aeb1a281cab13c7ba | Tue Sep 03 07:09:01 2024 Wed Sep 11 05:47:44 2024 Thu Aug 22 09:11:00 2024 | 7.94 -11.92 | September 11 | CVE-2024-8096 |
| OpenStack Ironic | [vs] … [oss-security] OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming | Thu Sep 26 16:39:33 2024 Sat Oct 05 20:14:57 2024 | 9.15 | 2024-10-03, 1500UTC | CVE-2024-47211 |
| PowerDNS | [vs-plain] PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor [oss-security] PowerDNS Security Advisory 2024-04 | Fri Sep 27 07:17:06 2024 Thu Oct 03 16:07:56 2024 | 6.37 | 3rd of October 2024 around 12:00 UTC | CVE-2024-25590 |
| oath-toolkit | [vs] Local root exploit in a PAM module [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so | Fri Sep 27 10:18:19 2024 Fri Oct 04 15:00:06 2024 | 7.20 | 2024-10-04 11:00 AM GMT+2 | CVE-2024-47191 |
| X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Issue in X server and Xwayland [oss-security] CVE-2024-9632: X.Org X server and Xwayland: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap | Tue Oct 22 07:47:30 2024 Tue Oct 29 16:40:04 2024 | 7.37 | October 29, 2024 15:00 UTC | CVE-2024-9632 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-9681 [oss-security] [SECURITY ADVISTORY] curl: CVE-2024-9681 HSTS subdomain overwrites parent cache entry https://github.com/curl/curl/commit/a94973805df96269bf | Tue Oct 29 09:53:36 2024 Wed Nov 06 07:25:14 2024 Wed Oct 09 11:48:00 2024 | 7.90 -19.92 | November 6 2024 around 06:00 UTC | CVE-2024-9681 |
| Unix shells | [vs-plain] shell expansion bug [oss-security] shell wildcard expansion (un)safety | Thu Oct 31 13:00:59 2024 Wed Nov 06 04:12:33 2024 | 5.63 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.