Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2024-01 | 9 | 9 | 9.18 | 8.79 | 1.09 | 14.12 |
| 2024-02 | 6 | 6 | 2.13 | 1.33 | 0.77 | 6.96 |
| 2024-03 | 9 | 9 | 7.23 | 7.97 | 1.15 | 12.53 |
| 2024-04 | 4 | 3 | 7.83 | 7.45 | 2.03 | 14.00 |
| Total | 28 | 27 | 6.81 | 7.45 | 0.77 | 14.12 |
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2024 so far only occurred once) are excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| Mock | [vs-plain] Mock: Privilege escalation for users that can access mock configuration [oss-security] CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration | Mon Jan 08 20:42:02 2024 Tue Jan 16 14:37:14 2024 | 7.75 | January 16th 2024 at 1 PM UTC | CVE-2023-6395 |
| Mock, Snap | Re: [vs-plain] Mock: Privilege escalation for users that can access mock configuration [oss-security] Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host | Mon Jan 08 21:24:02 2024 Tue Jan 16 20:35:56 2024 | 7.97 | January 16 | |
| X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Issues in X server and Xwayland [oss-security] Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4 https://lists.x.org/archives/xorg-announce/2024-January/003444.html | Tue Jan 09 07:12:50 2024 Thu Jan 18 09:21:40 2024 Tue Jan 16 14:24:36 2024 | 9.09 7.30 | January 16, 2024 00:00 UTC | CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0409 CVE-2024-0408 |
| Linux PAM pam_namespace | [vs] encrypted subject [oss-security] pam: pam_namespace misses O_DIRECTORY flag in `protect_dir()` (CVE-2024-22365) https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0 | Tue Jan 09 14:49:28 2024 Thu Jan 18 09:48:33 2024 Wed Jan 17 15:17:00 2024 | 8.79 8.02 | 2024-01-17 | CVE-2024-22365 |
| glibc | [vs] CVE-2023-6246, CVE-2023-6779, CVE-2023-6780 [oss-security] CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() | Tue Jan 16 15:39:22 2024 Tue Jan 30 18:29:25 2024 | 14.12 | Tuesday, January 30, 2024, 18:00 UTC | CVE-2023-6246 CVE-2023-6779 CVE-2023-6780 |
| glibc | [vs] Second advisory [oss-security] Out-of-bounds read & write in the glibc's qsort() | Tue Jan 16 16:02:18 2024 Tue Jan 30 18:37:31 2024 | 14.11 | Tuesday, January 30, 2024, 18:00 UTC | |
| coreutils | [vs] … [oss-security] GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability https://github.com/coreutils/coreutils/commit/c4c5ed8f4e9cd55a12966d4f520e3a13101637d9 | Wed Jan 17 07:18:25 2024 Thu Jan 18 09:22:16 2024 Wed Jan 17 20:19:00 2024 | 1.09 0.54 | CVE-2024-0684 | |
| curl | [vs-plain] : curl pre-notification: CVE-2024-0853: OCSP verification bypass with TLS session reuse [oss-security] [SECURITY ADVISORY] curl: CVE-2024-0853 : OCSP verification bypass with TLS session reuse https://github.com/curl/curl/commit/c28e9478cb2548848ec | Wed Jan 24 09:26:59 2024 Wed Jan 31 07:10:04 2024 Tue Jan 23 07:26:00 2024 | 6.90 -1.08 | January 31 2024 around 07:00 UTC | CVE-2024-0853 |
| grub2-set-bootflag | [vs] grub-set-bootflag [oss-security] CVE-2024-1048: grub2-set-bootflag may be abused to fill up /boot, bypass RLIMIT_NPROC | Wed Jan 24 22:07:37 2024 Tue Feb 06 17:01:28 2024 | 12.79 | January 31 Feb 6th | CVE-2024-1048 |
| Open vSwitch | [vs-plain] [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. [oss-security] [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. | Thu Feb 01 21:07:08 2024 Thu Feb 08 20:13:41 2024 | 6.96 | 08-Feb-2024 | CVE-2023-3966 |
| Unbound | [vs] … [oss-security] Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities | Mon Feb 12 08:50:19 2024 Tue Feb 13 14:23:55 2024 | 1.23 | “not before 12:00 UTC” on 13 February 2024 | CVE-2023-50387 CVE-2023-50868 |
| PowerDNS Recursor | [vs-plain] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor Re: [oss-security] Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities https://github.com/PowerDNS/pdns/pull/13781 | Mon Feb 12 11:31:30 2024 Tue Feb 13 21:49:40 2024 Tue Feb 13 12:01:00 2024 | 1.43 1.02 | 13th of February 2024 | CVE-2023-50387 CVE-2023-50868 |
| BIND 9 | [vs] … [oss-security] ISC has disclosed six vulnerabilities in BIND 9 (CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868) | Mon Feb 12 15:34:41 2024 Tue Feb 13 14:23:37 2024 | 0.95 | 13 February 2024 | CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516 CVE-2023-50387 CVE-2023-50868 |
| EDK2 based Virtual Machine firmware | [vs-plain] Secure Boot bypass in EDK2 based Virtual Machine firmware [oss-security] Secure Boot bypass in EDK2 based Virtual Machine firmware | Tue Feb 13 03:44:41 2024 Wed Feb 14 14:48:15 2024 | 1.46 | February 14th 2024 at 13:00 UTC+0 | CVE-2023-48733 CVE-2023-49721 |
| c-ares | [vs-plain] c-ares security vuln [oss-security] c-ares CVE-2024-25629 | Thu Feb 22 18:12:49 2024 Fri Feb 23 12:40:51 2024 | 0.77 | 2/23/2024 | CVE-2024-25629 |
| Open Virtual Network | [vs-plain] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. [oss-security] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. | Tue Mar 05 16:01:37 2024 Tue Mar 12 14:13:02 2024 | 6.92 | 12-Mar-2024 | CVE-2024-2182 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2004: Usage of disabled protocol [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol | Tue Mar 19 07:38:44 2024 Wed Mar 27 06:53:23 2024 | 7.97 | March 27 | CVE-2024-2004 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2379: QUIC certificate check bypass with wolfSSL [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL | Tue Mar 19 07:38:49 2024 Wed Mar 27 06:53:29 2024 | 7.97 | March 27 | CVE-2024-2379 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2398: HTTP/2 push headers memory-leak [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak | Tue Mar 19 07:38:56 2024 Wed Mar 27 06:53:34 2024 | 7.97 | March 27 | CVE-2024-2398 |
| curl | [vs-plain] : curl pre-notification: CVE-2024-2466: TLS certificate check bypass with mbedTLS [oss-security] [SECURITY ADVISORY] curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS | Tue Mar 19 07:39:03 2024 Wed Mar 27 06:53:36 2024 | 7.97 | March 27 | CVE-2024-2466 |
| util-linux | [vs-plain] ANSI Escape sequence injection in wall (CVE-2024-28085) [oss-security] CVE-2024-28085: Escape sequence injection in util-linux wall | Wed Mar 20 18:40:50 2024 Wed Mar 27 15:11:25 2024 | 6.85 | March 27 | |
| xz | [vs] Easter Eggs [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise | Thu Mar 28 12:23:26 2024 Fri Mar 29 16:03:34 2024 | 1.15 | tomorrow | CVE-2024-3094 |
| X.Org X server, Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Multiple issues in X servers [oss-security] Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762 | Fri Mar 29 01:29:54 2024 Wed Apr 03 18:47:44 2024 Tue Mar 12 20:38:02 2024 | 5.72 -16.20 | April 3, 2024 | CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 |
| Linux | [vs-plain] Skbuff null ptr derefence 0day potential LPE [oss-security] CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660 | Fri Mar 29 10:14:05 2024 Wed Apr 10 22:51:45 2024 Sat Jan 20 21:50:04 2024 | 12.53 -68.52 | CVE-2024-1086 | |
| glibc | [vs] … [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence | Wed Apr 03 17:43:55 2024 Wed Apr 17 17:43:39 2024 | 14.00 | April 17th | CVE-2024-2961 |
| PuTTY | [vs] CVE-2024-31497 [oss-security] CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client | Mon Apr 08 08:58:06 2024 Mon Apr 15 19:43:58 2024 | 7.45 | 15.04.2024 19:00 UTC | CVE-2024-31497 |
| Linux | [vs-plain] Zero day local root exploit with Ubuntu 22.04 HWE / Debian 12 and possible Fedora [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? | Thu Apr 11 21:10:42 2024 Wed Apr 10 19:57:32 2024 | -1.05 | ||
| PowerDNS | [vs-plain] PowerDNS pre-notification: EMBARGO: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor [oss-security] PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor | Mon Apr 22 10:42:29 2024 Wed Apr 24 11:29:14 2024 | 2.03 | 24th of April 2024 We aim for 11:00 UTC | CVE-2024-25583 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.