Differences

This shows you the differences between two versions of the page.

--- mailing-lists:distros:stats:2025 [2025/04/18 02:17]
solar add giflib CVE in 2025-03
+++ mailing-lists:distros:stats:2025 [2025/11/07 02:19] (current)
solar add final 2025-10
@@ Line 9: / Line 9: @@
 | 2025-02 | 4 | 4 | 5.91 | 6.46 | 3.07 | 7.64 |
 | 2025-03 | 7 | 7 | 8.48 | 7.03 | 2.95 | 20.16 |
-| 2025-04 | 2 | 2 | 3.24 | 3.24 | 1.03 | 5.46 |
+| 2025-04 | 3 | 3 | 6.18 | 5.46 | 1.03 | 12.05 |
-| Total | 22 | 22 | 7.22 | 7.01 | 1.03 | 20.16 |
+| 2025-05 | 9 | 9 | 6.88 | 7.25 | 1.17 | 14.03 |
+| 2025-06 | 8 | 8 | 6.00 | 6.25 | 0.63 | 14.14 |
-The data for 2025-04 may be non-final.
+| 2025-07 | 4 | 4 | 8.68 | 9.15 | 1.48 | 14.94 |
+| 2025-08 | 4 | 4 | 5.64 | 4.42 | 1.06 | 12.65 |
+| 2025-09 | 11 | 11 | 5.04 | 4.78 | 1.00 | 13.89 |
+| 2025-10 | 8 | 8 | 7.36 | 6.94 | 1.00 | 15.48 |
+| Total | 67 | 67 | 6.75 | 6.82 | 0.63 | 20.16 |
 Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2025 didn't occur yet) are (will be) excluded from the calculation of average, median, and minimum embargo duration above.
@@ Line 45: / Line 49: @@
 | c-ares | [vs-plain] c-ares security vuln \\ [[https://www.openwall.com/lists/oss-security/2025/04/08/3|[oss-security] CVE-2025-31498: c-ares use-after-free]] | Mon Apr 07 12:22:00 2025 \\ Tue Apr 08 13:00:39 2025 | 1.03 | 4/8/2025 | CVE-2025-31498 |
 | Perl | [vs-plain] Impending Perl vuln disclosure (CVE-2024-56406) \\ [[https://www.openwall.com/lists/oss-security/2025/04/13/3|[oss-security] CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes]] | Tue Apr 08 03:25:01 2025 \\ Sun Apr 13 14:21:46 2025 | 5.46 | Sunday, April 13 2025, around 13:00 UTC | CVE-2024-56406 |
+| screen | [vs] encrypted subject \\ [[https://www.openwall.com/lists/oss-security/2025/05/12/1|[oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)]] | Wed Apr 30 14:08:22 2025 \\ Mon May 12 15:24:40 2025 | 12.05 | 2025-05-08 \\ willing to extend the CRD to 2025-05-12 \\ targeting 2025-05-12 | CVE-2025-23395 \\ CVE-2025-46802 \\ CVE-2025-46803 \\ CVE-2025-46804 \\ CVE-2025-46805 |
+| Varnish Cache | [vs-plain] [ vsб═] Embargoed Vulnerability in Varnish Cache \\ [[https://www.openwall.com/lists/oss-security/2025/05/13/5|[oss-security] VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack]] | Mon May 05 09:02:56 2025 \\ Tue May 13 15:19:54 2025 | 8.26 | May 12, 2025 | VSV00016 \\ CVE-2025-47905 |
+| open-vm-tools | [vs] [EMBARGOED] CVE-2025-22247 \\ [[https://www.openwall.com/lists/oss-security/2025/05/12/2|[oss-security] CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools]] | Mon May 05 10:35:42 2025 \\ Mon May 12 16:30:16 2025 | 7.25 | May 12th, 2025 | CVE-2025-22247 |
+| OpenStack Ironic | [vs] Vulnerability in OpenStack Ironic (CVE-2025-44021) \\ [[https://www.openwall.com/lists/oss-security/2025/05/08/1|[oss-security] OSSA-2025-001 / CVE-2025-44021: OpenStack Ironic fails to restrict paths used for file:// image URLs]] | Mon May 05 19:32:11 2025 \\ Thu May 08 18:43:11 2025 | 2.97 | 2025-05-08, 1700UTC | CVE-2025-44021 |
+| Kea | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/05/28/7|[oss-security] ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)]] | Wed May 14 16:00:20 2025 \\ Wed May 28 16:40:45 2025 | 14.03 | 28 May 2025 | CVE-2025-32801 \\ CVE-2025-32802 \\ CVE-2025-32803 |
+| BIND 9 | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/05/21/1|[oss-security] CVE-2025-40775: BIND 9: DNS message with invalid TSIG causes an assertion failure]] | Tue May 20 08:46:07 2025 \\ Wed May 21 12:47:24 2025 | 1.17 | 21 May 2025 | CVE-2025-40775 |
+| curl | [vs-plain] : curl prenotification for CVE-2025-4947 \\ [[https://www.openwall.com/lists/oss-security/2025/05/28/4|[oss-security] [SECURITY ADVISORY] curl: QUIC certificate check skip with wolfSSL]] \\ [[https://github.com/curl/curl/pull/17382]] | Tue May 20 15:23:50 2025 \\ Wed May 28 05:49:51 2025 \\ Mon May 19 08:54:00 2025 | 7.60 \\ -1.27 | May 28 2025 | CVE-2025-4947 |
+| curl | [vs-plain] : curl prenotification for CVE-2025-5025 \\ [[https://www.openwall.com/lists/oss-security/2025/05/28/5|[oss-security] [SECURITY ADVISORY] curl: No QUIC certificate pinning with wolfSSL]] \\ [[https://github.com/curl/curl/commit/e1f65937a96a451292e92313396]] | Thu May 22 07:55:52 2025 \\ Wed May 28 05:49:57 2025 \\ Wed May 21 20:45:00 2025 | 5.91 \\ -0.47 | May 28 2025 | CVE-2025-5025 |
+| apport, systemd-coredump | [vs-plain] Local information disclosure in apport and systemd-coredump \\ [[https://www.openwall.com/lists/oss-security/2025/05/29/3|[oss-security] Local information disclosure in apport and systemd-coredump]] | Fri May 23 20:32:54 2025 \\ Thu May 29 17:17:22 2025 | 5.86 | Thursday, May 29 \\ 16:00 UTC | CVE-2025-5054 \\ CVE-2025-4598 |
+| Linux | [vs-plain] Re: VULNERABILITY REPORT: Out-of-Bounds Read in HFS+ Filesystem's hfsplus_bnode_read Function \\ [[https://www.openwall.com/lists/oss-security/2025/06/03/2|[oss-security] Linux kernel: HFS+ filesystem implementation issues, exposure in distros]] | Sun May 25 05:37:34 2025 \\ Tue Jun 03 03:00:54 2025 | 8.89 |  |  |
+| curl | [vs-plain] : curl prenotification for CVE-2025-5399 \\ [[https://www.openwall.com/lists/oss-security/2025/06/04/2|[oss-security] [SECURITY AVISORY] curl: CVE-2025-5399: WebSocket endless loop]] \\ [[https://github.com/curl/curl/commit/d1145df24de8f80e6b16]] | Mon Jun 02 09:29:40 2025 \\ Wed Jun 04 05:52:58 2025 \\ Sat May 31 15:04:00 2025 | 1.85 \\ -1.77 | June 4 | CVE-2025-5399 |
+| Perl module File::Find::Rule | [vs-plain] Code execution vulnerability in File::Find::Rule Perl module \\ [[https://www.openwall.com/lists/oss-security/2025/06/05/4|[oss-security] CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name]] | Thu Jun 05 03:10:31 2025 \\ Thu Jun 05 18:17:55 2025 | 0.63 | in the afternoon (CEST) June 5th, 2025 | CVE-2011-10007 |
+| xdg-open | [vs-plain] xdg-open bypassing SameSite=Strict \\ [[https://www.openwall.com/lists/oss-security/2025/06/23/1|[oss-security] xdg-open bypassing SameSite=Strict]] | Mon Jun 09 11:10:28 2025 \\ Mon Jun 23 14:33:36 2025 | 14.14 | June 23, 2025 |  |
+| libblockdev | [vs-plain] LPE from allow_active to root in libblockdev via udisks \\ [[https://www.openwall.com/lists/oss-security/2025/06/17/4|[oss-security] CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks]] | Mon Jun 09 11:19:55 2025 \\ Tue Jun 17 20:01:12 2025 | 8.36 | Tuesday June 17 \\ 16:00 UTC | CVE-2025-6018 \\ CVE-2025-6019 |
+| X.Org X server and Xwayland | [vs-plain] Preview of X.Org Security Advisory for 2025-06-17 \\ [[https://www.openwall.com/lists/oss-security/2025/06/17/3|[oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland]] | Tue Jun 10 07:58:51 2025 \\ Tue Jun 17 14:11:13 2025 | 7.26 | June 17th 2025 at 13:00 UTC | CVE-2025-49175 \\ CVE-2025-49176 \\ CVE-2025-49177 \\ CVE-2025-49178 \\ CVE-2025-49179 \\ CVE-2025-49180 |
+| Linux-PAM | [vs-plain] Linux PAM - LPE in module pam_namespace \\ [[https://www.openwall.com/lists/oss-security/2025/06/17/1|[oss-security] pam: pam_namespace local privilege escalation (CVE-2025-6020)]] | Wed Jun 11 14:17:29 2025 \\ Tue Jun 17 13:19:50 2025 | 5.96 | 2025-06-17 at 10:00 UTC | CVE-2025-6020 |
+| sudo | [vs] sudo: local privilege escalation vulnerabilities \\ [[https://www.openwall.com/lists/oss-security/2025/06/30/2|[oss-security] CVE-2025-32462: sudo local privilege escalation via host option]] | Tue Jun 24 03:19:50 2025 \\ Mon Jun 30 16:14:38 2025 | 6.54 | next Monday June 30th at 14:00 UTC | CVE-2025-32462 \\ CVE-2025-32463 |
+| SOPE / SOGo | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/07/02/3|[oss-security] DoS segfault (NULL pointer deref) in SOPE / SOGo]] | Sun Jun 29 10:20:26 2025 \\ Wed Jul 02 17:13:42 2025 | 3.29 | Wednesday, 2025-07-02T12:00:00 UTC |  |
+| Git | [vs-plain] Upcoming Git security fix release \\ [[https://www.openwall.com/lists/oss-security/2025/07/08/4|[oss-security] Multiple vulnerabilities fixed in Git]] | Tue Jul 01 21:33:45 2025 \\ Tue Jul 08 17:09:11 2025 | 6.82 | July 8, 2025 at 10am Pacific Time (UTC-7), or shortly thereafter | CVE-2025-27613 \\ CVE-2025-27614 \\ CVE-2025-46334 \\ CVE-2025-46835 \\ CVE-2025-48384 \\ CVE-2025-48385 \\ CVE-2025-48386 |
+| Debian packaging of AIDE | [vs-plain] Command Injection in AIDE Daily Check Script (RCE, CVE Request) \\ [[https://www.openwall.com/lists/oss-security/2025/07/22/3|[oss-security] non-issues in dailyaidecheck script in Debian's packaging of AIDE]] | Fri Jul 11 10:50:03 2025 \\ Tue Jul 22 22:14:20 2025 | 11.48 |  |  |
+| BIND 9 | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/07/16/6|[oss-security] ISC has disclosed one vulnerability in BIND 9 (CVE-2025-40777)]] | Tue Jul 15 10:54:23 2025 \\ Wed Jul 16 22:27:08 2025 | 1.48 | 16 July 2025 | CVE-2025-40777 |
+| Linux | [vs-plain] Fw: eBPF Vulnerabilities - Responsible Disclosure \\ [[https://www.openwall.com/lists/oss-security/2025/08/03/1|[oss-security] Linux kernel: eBPF vulnerabilities]] | Sat Jul 19 03:30:17 2025 \\ Sun Aug 03 01:58:35 2025 | 14.94 |  |  |
+| AIDE | [vs] CVE-2025-54389 - aide \\ [[https://www.openwall.com/lists/oss-security/2025/08/14/7|[oss-security] CVE-2025-54389 - aide (<= 0.19.1): improper output neutralization (potential AIDE detection bypass)]] | Sun Aug 10 08:56:29 2025 \\ Thu Aug 14 18:56:36 2025 | 4.42 | Thu 14 Aug 2025 14:00:00 UTC | CVE-2025-54389 |
+| AIDE | [vs] CVE-2025-54409 - aide \\ [[https://www.openwall.com/lists/oss-security/2025/08/14/8|[oss-security] CVE-2025-54409 - aide (>= 0.13 <= 0.19.1): null pointer dereference after reading incorrectly encoded xattr attributes from database (local DoS)]] | Sun Aug 10 08:56:54 2025 \\ Thu Aug 14 18:56:49 2025 | 4.42 | Thu 14 Aug 2025 14:00:00 UTC | CVE-2025-54409 |
+| UDisks | [vs-plain] CVE-2025-8067 - UDisks \\ [[https://www.openwall.com/lists/oss-security/2025/08/28/1|[oss-security] CVE-2025-8067 - UDisks]] | Fri Aug 15 23:41:06 2025 \\ Thu Aug 28 15:21:31 2025 | 12.65 | Aug 28th | CVE-2025-8067 |
+| Kea | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/08/27/1|[oss-security] ISC has disclosed one vulnerability in Kea (CVE-2025-40779)]] | Tue Aug 26 18:02:17 2025 \\ Wed Aug 27 19:34:17 2025 | 1.06 | 27 August 2025 | CVE-2025-40779 |
+| CUPS | [vs-plain] EMBARGOED CVE-2025-58060 Authentication bypass with AuthType Negotiate \\ [[https://www.openwall.com/lists/oss-security/2025/09/11/1|[oss-security] CVE-2025-58060 cups: Authentication bypass with AuthType Negotiate]] | Tue Sep 02 11:01:32 2025 \\ Thu Sep 11 15:30:07 2025 | 9.19 | September 11th 13:00 UTC | CVE-2025-58060 |
+| CUPS | [vs-plain] EMBARGOED CVE-2025-58364 cups: Remote DoS via null dereference \\ [[https://www.openwall.com/lists/oss-security/2025/09/11/2|[oss-security] CVE-2025-58364 cups: Remote DoS via null dereference]] | Thu Sep 04 06:14:22 2025 \\ Thu Sep 11 15:30:12 2025 | 7.39 | September 11th 13:00 UTC | CVE-2025-58364 |
+| curl | [vs-plain] : pre-notification curl CVE-2025-9086 \\ [[https://www.openwall.com/lists/oss-security/2025/09/10/1|[oss-security] [SECURITY ADVISORY] curl: CVE-2025-9086: Out of bounds read for cookie path]] | Fri Sep 05 11:10:12 2025 \\ Wed Sep 10 05:53:25 2025 | 4.78 | September 10 | CVE-2025-9086 |
+| Perl CPAN JSON::XS | [vs-plain] : CVE-2025-40928: JSON::XS version 4.03 and earlier for Perl \\ [[https://www.openwall.com/lists/oss-security/2025/09/08/2|[oss-security] CVE-2025-40928: JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified]] | Sat Sep 06 18:25:13 2025 \\ Mon Sep 08 17:46:31 2025 | 1.97 | this weekend \\ 16:00 UTC today | CVE-2025-40928 |
+| Perl CPAN Cpanel::JSON::XS | [vs-plain] : CVE-2025-40929: Cpanel::JSON::XS version 4.39 and earlier for Perl \\ [[https://www.openwall.com/lists/oss-security/2025/09/08/1|[oss-security] CVE-2025-40929: Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact]] | Sat Sep 06 18:26:02 2025 \\ Mon Sep 08 17:46:30 2025 | 1.97 | this weekend \\ 16:00 UTC today | CVE-2025-40929 |
+| Perl CPAN JSON::SIMD | [vs-plain] : CVE-2025-40930: JSON::SIMD version 1.06 and earlier for Perl \\ [[https://www.openwall.com/lists/oss-security/2025/09/08/3|[oss-security] CVE-2025-40930: JSON::SIMD before version 1.07 and earlier for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact]] | Sat Sep 06 18:26:23 2025 \\ Mon Sep 08 17:46:57 2025 | 1.97 | this weekend \\ 16:00 UTC today | CVE-2025-40930 |
+| curl | [vs-plain] : pre-notification curl CVE-2025-10148 \\ [[https://www.openwall.com/lists/oss-security/2025/09/10/2|[oss-security] [SECURITY ADVISORY] curl: CVE-2025-10148: predictable WebSocket mask]] | Tue Sep 09 05:49:00 2025 \\ Wed Sep 10 05:54:41 2025 | 1.00 | tomorrow \\ September 10 2025 around 06:00 UTC | CVE-2025-10148 |
+| Stork | [vs] One Stork vulnerability will be announced on 10 September 2025 \\ [[https://www.openwall.com/lists/oss-security/2025/09/10/5|[oss-security] ISC has disclosed one vulnerability in Stork (CVE-2025-8696)]] | Tue Sep 09 17:00:28 2025 \\ Wed Sep 10 19:08:02 2025 | 1.09 | 10 September 2025 | CVE-2025-8696 |
+| OpenSSL | [vs-plain] Embargoed OpenSSL security issue \\ [[https://www.openwall.com/lists/oss-security/2025/09/30/5|[oss-security] OpenSSL Security Advisory]] | Tue Sep 16 16:32:28 2025 \\ Tue Sep 30 13:49:20 2025 | 13.89 | 30th September 2025 | CVE-2025-9230 \\ CVE-2025-9231 \\ CVE-2025-9232 |
+| open-vm-tools | [vs] [EMBARGOED] CVE-2025-41244 - open-vm-tools \\ [[https://www.openwall.com/lists/oss-security/2025/09/29/10|[oss-security] [Security Advisory] open-vm-tools: Local privilege escalation (CVE-2025-41244)]] | Tue Sep 23 07:27:43 2025 \\ Mon Sep 29 16:24:26 2025 | 6.37 | Sep 29th, 2025 | CVE-2025-41244 \\ VMSA-2025-0015 |
+| FreeIPA | [vs-plain] CVE-2025-7493 - Privilege escalation from host to domain admin in FreeIPA \\ [[https://www.openwall.com/lists/oss-security/2025/09/30/6|[oss-security] FreeIPA - CVE-2025-7493 - Privilege Escalation from host to domain admin]] | Wed Sep 24 19:00:18 2025 \\ Tue Sep 30 15:50:21 2025 | 5.87 | September 30th | CVE-2025-7493 |
+| X.Org X server and Xwayland | [vs-plain] Preview of X.Org Security Advisory for 2025-10-28 \\ [[https://www.openwall.com/lists/oss-security/2025/10/28/7|[oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland]] | Mon Oct 13 07:46:59 2025 \\ Tue Oct 28 19:24:11 2025 | 15.48 | October 28, 2025 at 13:00 UTC | CVE-2025-62229 \\ CVE-2025-62230 \\ CVE-2025-62231 \\ ZDI-CAN-27238 \\ ZDI-CAN-27545 \\ ZDI-CAN-27560 |
+| BIND 9 | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/10/22/1|[oss-security] ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780)]] | Tue Oct 21 10:16:48 2025 \\ Wed Oct 22 15:54:47 2025 | 1.23 | 22 October 2025 | CVE-2025-8677 \\ CVE-2025-40778 \\ CVE-2025-40780 |
+| runc | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2025/11/05/3|[oss-security] runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881]] | Wed Oct 22 12:16:52 2025 \\ Wed Nov 05 09:53:38 2025 | 13.90 | 2025-11-05 09:00 UTC | CVE-2025-31133 \\ CVE-2025-52565 \\ CVE-2025-52881 |
+| OpenSMTPD | [vs] encrypted subject \\ [[https://www.openwall.com/lists/oss-security/2025/10/31/3|[oss-security] OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875)]] | Thu Oct 23 09:35:42 2025 \\ Fri Oct 31 17:22:01 2025 | 8.32 | 2025-10-31 | CVE-2025-62875 |
+| OpenStack Keystone | [vs] Vulnerability in OpenStack Keystone (CVE pending) \\ [[https://www.openwall.com/lists/oss-security/2025/11/04/2|[oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING)]] | Tue Oct 28 16:03:06 2025 \\ Tue Nov 04 15:01:25 2025 | 6.96 | Tuesday, 2025-11-04, 1500UTC |  |
+| Kea | [vs] One Kea vulnerability will be announced on 29 October 2025 \\ [[https://www.openwall.com/lists/oss-security/2025/10/29/5|[oss-security] ISC has disclosed one vulnerability in Kea (CVE-2025-11232)]] | Tue Oct 28 18:00:50 2025 \\ Wed Oct 29 17:55:19 2025 | 1.00 | 29 October 2025 | CVE-2025-11232 |
+| curl | [vs-plain] : pre-notification curl CVE-2025-10966 \\ [[https://www.openwall.com/lists/oss-security/2025/11/05/2|[oss-security] [SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH]] | Wed Oct 29 08:55:34 2025 \\ Wed Nov 05 07:14:23 2025 | 6.93 | November 5 2025 around 07:00 UTC | CVE-2025-10966 |
+| wcurl | [vs-plain] : pre-notification wcurl CVE-2025-11563 \\ [[https://www.openwall.com/lists/oss-security/2025/11/04/1|[oss-security] [SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes]] | Thu Oct 30 07:19:58 2025 \\ Tue Nov 04 08:42:13 2025 | 5.06 | November 4 | CVE-2025-11563 |
 ===== Source input data =====
@@ Line 54: / Line 103: @@
   * {{stats-202503.txt}}
   * {{stats-202504.txt}}
+  * {{stats-202505.txt}}
+  * {{stats-202506.txt}}
+  * {{stats-202507.txt}}
+  * {{stats-202508.txt}}
+  * {{stats-202509.txt}}
+  * {{stats-202510.txt}}