This is an old revision of the document!
Statistics are grouped by month of the issue being reported to the private list.
| Month | All reports | Embargoed | Average | Median | Min | Max embargo days |
|---|---|---|---|---|---|---|
| 2025-01 | 9 | 9 | 7.71 | 7.70 | 1.12 | 14.56 |
| Total | 9 | 9 | 7.71 | 7.70 | 1.12 | 14.56 |
Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2025 didn't occur yet) are (will be) excluded from the calculation of average, median, and minimum embargo duration above.
For the statistics above, we only use the first embargo duration seen in this table, which is the delay between postings to (linux-)distros and oss-security.
For some reports, there's a second embargo duration - that one is the delay (sometimes negative) between a first public posting elsewhere and the posting to (linux-)distros. Such first public posting often does not fully (or at all) reveal security relevance of the issue/fix, making it not-too-unreasonable to allow a little bit (more) of embargo time on the full detail, especially when that's the issue reporter's and/or the upstream project's preference.
| Project | Subjects/titles/links | Time at distros (UTC) … oss-security (UTC) Elsewhere (UTC) | Embargo days | Planned CRD(s) (exact wording) | CVE(s) |
|---|---|---|---|---|---|
| Git | [vs-plain] Upcoming Git security fix release [oss-security] git: 2 vulnerabilities fixed | Thu Jan 09 19:01:09 2025 Tue Jan 14 18:04:02 2025 | 4.96 | January 14th, 2025 at 10am Pacific Time or soon thereafter | CVE-2024-50349 CVE-2024-52006 |
| rsync | [vs] patches for 6 vulnerabilities [oss-security] RSYNC: 6 vulnerabilities | Thu Jan 09 22:29:10 2025 Tue Jan 14 18:03:17 2025 | 4.82 | 2025-01-14 @ 19:00 UTC | CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 |
| Linux | [vs-plain] Kernel bug found in the latest upstream relegated to ocfs2 [oss-security] Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 | Thu Jan 23 04:05:44 2025 Thu Feb 06 17:37:28 2025 | 14.56 | No later than Feb 6 | |
| BIND 9 | [vs] … [oss-security] ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187, CVE-2024-12705) | Tue Jan 28 14:09:40 2025 Wed Jan 29 16:58:31 2025 | 1.12 | 29 January 2025 | CVE-2024-11187 CVE-2024-12705 |
| curl | [vs-plain] : curl pre-notification (1/3): CVE-2025-0167 [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential leak | Tue Jan 28 15:34:55 2025 Wed Feb 05 08:21:44 2025 | 7.70 | February 5 2025 around 08:00 UTC | CVE-2025-0167 |
| curl | [vs-plain] : curl pre-notification (2/3): CVE-2025-0665 [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close | Tue Jan 28 15:35:00 2025 Wed Feb 05 08:21:49 2025 | 7.70 | February 5 2025 around 08:00 UTC | CVE-2025-0665 |
| curl | [vs-plain] : curl pre-notification (3/3): CVE-2025-0725 [oss-security] [SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow | Tue Jan 28 15:35:08 2025 Wed Feb 05 08:21:52 2025 | 7.70 | February 5 2025 around 08:00 UTC | CVE-2025-0725 |
| OpenSSL | [vs-plain] Embargoed OpenSSL security issues [oss-security] CVE-2024-12797: OpenSSL: RFC7250 handshakes with unauthenticated servers don't abort as expected | Tue Jan 28 19:04:37 2025 Tue Feb 11 17:01:50 2025 | 13.91 | 11th February, 2025 | CVE-2024-12797 |
| pam_pkcs11 | [vs] encrypted subject [oss-security] pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531) | Thu Jan 30 17:31:26 2025 Thu Feb 06 14:55:28 2025 | 6.89 | 2025-02-06 | CVE-2025-24531 |
These files were manually created based on review of the e-mail threads and external resources referenced from there. They were processed with this Perl script to produce the tables above. You should be able to reproduce that.