This shows you the differences between two versions of the page.
|
mailing-lists:distros:stats:2026 [2026/03/15 02:28] solar add 2026-02 |
mailing-lists:distros:stats:2026 [2026/05/13 04:18] (current) solar add 2026-03 and 2026-04 |
||
|---|---|---|---|
| Line 8: | Line 8: | ||
| | 2026-01 | 3 | 3 | 7.42 | 6.81 | 1.28 | 14.15 | | | 2026-01 | 3 | 3 | 7.42 | 6.81 | 1.28 | 14.15 | | ||
| | 2026-02 | 4 | 4 | 11.57 | 12.70 | 6.75 | 14.15 | | | 2026-02 | 4 | 4 | 11.57 | 12.70 | 6.75 | 14.15 | | ||
| - | | Total | 7 | 7 | 9.79 | 11.74 | 1.28 | 14.15 | | + | | 2026-03 | 15 | 15 | 10.40 | 5.35 | 1.11 | 49.69 | |
| + | | 2026-04 | 16 | 16 | 9.84 | 6.06 | 3.60 | 31.98 | | ||
| + | | Total | 38 | 38 | 10.05 | 6.78 | 1.11 | 49.69 | | ||
| Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2026 didn't occur yet) are (would be) excluded from the calculation of average, median, and minimum embargo duration above. | Non-embargoed reports (issue already posted to oss-security before being brought to (linux-)distros, which in 2026 didn't occur yet) are (would be) excluded from the calculation of average, median, and minimum embargo duration above. | ||
| Line 26: | Line 28: | ||
| | OpenStack | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/02/17/1|[oss-security] [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708)]] | Thu Feb 05 21:18:36 2026 \\ Tue Feb 17 15:01:45 2026 | 11.74 | 2026-02-17 1500UTC | CVE-2026-24708 | | | OpenStack | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/02/17/1|[oss-security] [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708)]] | Thu Feb 05 21:18:36 2026 \\ Tue Feb 17 15:01:45 2026 | 11.74 | 2026-02-17 1500UTC | CVE-2026-24708 | | ||
| | Linux | [vs-plain] Multiple vulnerabilities in AppArmor \\ [[https://www.openwall.com/lists/oss-security/2026/03/12/7|[oss-security] Re: Multiple vulnerabilities in AppArmor]] | Thu Feb 26 18:01:06 2026 \\ Thu Mar 12 21:34:11 2026 | 14.15 | Tuesday, March 3, 17:00 UTC \\ when the patches are published upstream in Linus's tree, in a few days and definitely before the maximum 14-day embargo \\ will almost certainly be published upstream in Linus's tree on Tuesday, March 10 \\ wait until the patches appear in Linus's tree, even if the maximum 14-day embargo is slightly exceeded | | | | Linux | [vs-plain] Multiple vulnerabilities in AppArmor \\ [[https://www.openwall.com/lists/oss-security/2026/03/12/7|[oss-security] Re: Multiple vulnerabilities in AppArmor]] | Thu Feb 26 18:01:06 2026 \\ Thu Mar 12 21:34:11 2026 | 14.15 | Tuesday, March 3, 17:00 UTC \\ when the patches are published upstream in Linus's tree, in a few days and definitely before the maximum 14-day embargo \\ will almost certainly be published upstream in Linus's tree on Tuesday, March 10 \\ wait until the patches appear in Linus's tree, even if the maximum 14-day embargo is slightly exceeded | | | ||
| + | | OpenSSH GSSAPI patch | [vs-plain] OpenSSH GSSAPI patch issue \\ [[https://www.openwall.com/lists/oss-security/2026/03/12/3|[oss-security] OpenSSH GSSAPI keyex patch issue]] | Thu Mar 05 14:03:20 2026 \\ Thu Mar 12 18:03:39 2026 | 7.17 | 2026-03-12 18:00:00 UTC | CVE-2026-3497 | | ||
| + | | OpenStack Glance | [vs] Vulnerability in OpenStack Glance (CVE-pending) \\ [[https://www.openwall.com/lists/oss-security/2026/03/19/3|[oss-security] [OSSA-2026-004] Glance: Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality (CVE-2026-pending)]] | Thu Mar 05 20:09:33 2026 \\ Thu Mar 19 15:21:06 2026 | 13.80 | 2026-03-19, 1500UTC | OSSA-2026-004 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-1965 (1/3) \\ [[https://www.openwall.com/lists/oss-security/2026/03/11/1|[oss-security] [ADVISORY] curl: CVE-2026-1965: bad reuse of HTTP Negotiate connection]] \\ [[https://github.com/curl/curl/pull/20534]] | Sun Mar 08 09:32:08 2026 \\ Wed Mar 11 06:54:50 2026 | 2.89 | March 11, this coming Wednesday | CVE-2026-1965 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-3783 (2/3) \\ [[https://www.openwall.com/lists/oss-security/2026/03/11/2|[oss-security] [ADVISORY] curl: CVE-2026-3783: token leak with redirect and netrc]] \\ [[https://github.com/curl/curl/pull/20843]] | Sun Mar 08 09:32:12 2026 \\ Wed Mar 11 06:54:55 2026 | 2.89 | March 11, this coming Wednesday | CVE-2026-3783 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-3784 (3/3) \\ [[https://www.openwall.com/lists/oss-security/2026/03/11/3|[oss-security] [ADVISORY] curl: CVE-2026-3784: wrong proxy connection reuse with credentials]] \\ [[https://github.com/curl/curl/pull/20837]] | Sun Mar 08 09:32:22 2026 \\ Wed Mar 11 06:55:00 2026 | 2.89 | March 11, this coming Wednesday | CVE-2026-3784 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-3805 (4/3) \\ [[https://www.openwall.com/lists/oss-security/2026/03/11/4|[oss-security] [ADVISORY] curl: CVE-2026-3805: use after free in SMB connection reuse]] \\ [[https://github.com/curl/curl/pull/20854]] | Sun Mar 08 21:56:29 2026 \\ Wed Mar 11 06:55:03 2026 | 2.37 | March 11th 2026 | CVE-2026-3805 | | ||
| + | | Linux | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/03/30/5|[oss-security] KVM shadow EPT stale rmap use-after-free]] | Tue Mar 10 10:33:59 2026 \\ Mon Mar 30 14:41:08 2026 | 20.17 | Sunday March 29, 2026, 16:00 UTC | | | ||
| + | | snapd | [vs] LPE in snapd \\ [[https://www.openwall.com/lists/oss-security/2026/03/17/8|[oss-security] snap-confine + systemd-tmpfiles = root (CVE-2026-3888)]] | Thu Mar 12 11:08:29 2026 \\ Tue Mar 17 19:33:32 2026 | 5.35 | 2026-03-17 14:00:00 UTC | CVE-2026-3888 | | ||
| + | | Linux | [vs-plain] Vulnerability Report: KTLS + sockmap "Reverse Order" Use-After-Free / Data Corruption \\ [[https://www.openwall.com/lists/oss-security/2026/05/07/1|[oss-security] Linux kernel: KTLS + sockmap "Reverse Order" Use-After-Free / Data Corruption]] | Wed Mar 18 11:54:54 2026 \\ Thu May 07 04:30:00 2026 | 49.69 | March 31st | | | ||
| + | | Dovecot | [vs] Dovecot Security Advisory 2026-01 \\ [[https://www.openwall.com/lists/oss-security/2026/03/27/2|[oss-security] Dovecot Security Advisory OXDC-2026-0001]] | Mon Mar 23 14:57:55 2026 \\ Fri Mar 27 14:48:06 2026 | 3.99 | 27th of March | CVE-2025-30189 \\ CVE-2025-59028 \\ CVE-2025-59032 \\ CVE-2025-59031 \\ CVE-2026-0394 \\ CVE-2026-27860 \\ CVE-2026-24031 \\ CVE-2026-27859 \\ CVE-2026-27857 \\ CVE-2026-27858 \\ CVE-2026-27856 \\ CVE-2026-27855 | | ||
| + | | Kea | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/03/25/6|[oss-security] ISC has disclosed one vulnerability in Kea (CVE-2026-3608)]] | Tue Mar 24 09:16:10 2026 \\ Wed Mar 25 15:16:52 2026 | 1.25 | 25 March 2026 | CVE-2026-3608 | | ||
| + | | BIND 9 | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/03/25/7|[oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591)]] | Tue Mar 24 12:36:27 2026 \\ Wed Mar 25 15:16:57 2026 | 1.11 | 25 March 2026 | CVE-2026-1519 \\ CVE-2026-3104 \\ CVE-2026-3119 \\ CVE-2026-3591 | | ||
| + | | OpenSSL | [vs-plain] Embargoed OpenSSL security issue \\ [[https://www.openwall.com/lists/oss-security/2026/04/07/11|[oss-security] OpenSSL Security Advisory]] | Tue Mar 24 15:39:27 2026 \\ Tue Apr 07 16:37:00 2026 | 14.04 | 7th April 2026 | CVE-2026-31790 \\ CVE-2026-28386 \\ CVE-2026-28387 \\ CVE-2026-28388 \\ CVE-2026-28389 \\ CVE-2026-28390 \\ CVE-2026-31789 | | ||
| + | | OpenStack Keystone | [vs-plain] Vulnerability in OpenStack Keystone (CVE-2026-33551) \\ [[https://www.openwall.com/lists/oss-security/2026/04/07/12|[oss-security] [OSSA-2026-005] Keystone: Restricted application credentials can create EC2 credentials (CVE-2026-33551)]] | Tue Mar 24 19:28:14 2026 \\ Tue Apr 07 17:43:25 2026 | 13.93 | 2026-04-07, 1500UTC | CVE-2026-33551 | | ||
| + | | LiteLLM | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/04/09/1|[oss-security] X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM]] | Wed Mar 25 14:19:55 2026 \\ Thu Apr 09 00:09:16 2026 | 14.41 | as fast as possible | x41-2026-001 | | ||
| + | | OVN | [vs-plain] CVE-2026-5367: Heap Over-Read in ICMP Error Response Generation \\ [[https://www.openwall.com/lists/oss-security/2026/04/20/2|[oss-security] [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation]] | Tue Apr 07 08:04:14 2026 \\ Mon Apr 20 15:51:53 2026 | 13.32 | 13-Apr-2026 \\ 20-Apr-2026 | CVE-2026-5265 | | ||
| + | | OVN | [vs-plain] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing \\ [[https://www.openwall.com/lists/oss-security/2026/04/20/3|[oss-security] [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing]] | Tue Apr 07 08:04:18 2026 \\ Mon Apr 20 15:52:03 2026 | 13.32 | 13-Apr-2026 \\ 20-Apr-2026 | CVE-2026-5367 | | ||
| + | | X.Org X server and Xwayland | [vs-plain] Embargoed X.Org Security Advisory: Multiple security issues in X.Org X server and Xwayland for 2026-04-14 \\ [[https://www.openwall.com/lists/oss-security/2026/04/14/8|[oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland]] | Tue Apr 07 08:20:45 2026 \\ Tue Apr 14 15:38:28 2026 | 7.30 | 2026-04-14 at 13:00 UTC | CVE-2026-33999 \\ CVE-2026-34000 \\ CVE-2026-34001 \\ CVE-2026-34002 \\ CVE-2026-34003 | | ||
| + | | GNU sed | [vs-plain] GNU sed: CVE-2026-5958: TOCTOU race in sed -i --follow-symlinks \\ [[https://www.openwall.com/lists/oss-security/2026/05/13/1|[oss-security] CVE-2026-5958: GNU sed: TOCTOU race in sed -i --follow-symlinks]] \\ [[https://savannah.gnu.org/news/?id=10885]] | Sat Apr 11 01:40:42 2026 \\ Wed May 13 01:14:29 2026 \\ Wed Apr 22 02:00:45 2026 | 31.98 \\ 11.01 | 2026-04-19 \\ the 20th | CVE-2026-5958 | | ||
| + | | libXpm | [vs-plain] Embargoed X.Org Security Advisory: Security issue in libXpm for 2026-04-21 \\ [[https://www.openwall.com/lists/oss-security/2026/04/21/3|[oss-security] Fwd: X.Org Security Advisory: CVE-2026-4367: libXpm Out-of-bounds read in xpmNextWord()]] | Tue Apr 14 17:09:39 2026 \\ Tue Apr 21 16:30:10 2026 | 6.97 | 2026-04-21 at 13:00 UTC | CVE-2026-4367 | | ||
| + | | ntfs-3g | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/04/21/4|[oss-security] CVE-2026-40706: ntfs-3g 2022.10.3: Heap buffer overflow]] | Thu Apr 16 10:27:32 2026 \\ Tue Apr 21 16:30:37 2026 | 5.25 | April 21st (2026-04-21) 12:00 UTC | CVE-2026-40706 \\ GHSA-4cwv-5285-63v9 | | ||
| + | | Kata Containers | [vs-plain] Vulnerability in Kata Containers (CVE Requested) \\ [[https://www.openwall.com/lists/oss-security/2026/05/13/2|[oss-security] CVE-2026-41326: Kata Containers: CopyFile Policy Subversion via Symlinks]] \\ [[https://github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc]] | Thu Apr 16 13:42:39 2026 \\ Wed May 13 01:31:41 2026 \\ Wed Apr 22 19:55:00 2026 | 26.49 \\ 6.26 | 2026-04-22, 1800 UTC | CVE-2026-41326 | | ||
| + | | PackageKit | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/04/22/6|[oss-security] CVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit]] | Sun Apr 19 01:11:19 2026 \\ Wed Apr 22 15:38:54 2026 | 3.60 | next Wednesday (22.04.2026) \\ 22.04.2026, after 12:00 CEST (12:00 PM, 12:00 24h format) | CVE-2026-41651 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-4873 (1/6) \\ [[https://www.openwall.com/lists/oss-security/2026/04/29/7|[oss-security] [ADVISORY] curl: CVE-2026-4873: connection reuse ignores TLS requirement]] \\ [[https://github.com/curl/curl/commit/507e7be573b0a76fca597b75]] | Thu Apr 23 06:08:11 2026 \\ Wed Apr 29 06:01:05 2026 | 6.00 | April 29 | CVE-2026-4873 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-5545 (2/6) \\ [[https://www.openwall.com/lists/oss-security/2026/04/29/8|[oss-security] [ADVISORY] curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection]] \\ [[https://github.com/curl/curl/commit/33e43985b8f3b9e6669]] | Thu Apr 23 06:08:16 2026 \\ Wed Apr 29 06:01:12 2026 | 6.00 | April 29 | CVE-2026-5545 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-5773 (3/6) \\ [[https://www.openwall.com/lists/oss-security/2026/04/29/9|[oss-security] [ADVISORY] curl: CVE-2026-5773: wrong reuse of SMB connection]] \\ [[https://github.com/curl/curl/commit/74a169575d6412d]] | Thu Apr 23 06:08:24 2026 \\ Wed Apr 29 06:01:18 2026 | 6.00 | April 29 | CVE-2026-5773 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-6253 (4/6) \\ [[https://www.openwall.com/lists/oss-security/2026/04/29/11|[oss-security] [ADVISORY] curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy]] \\ [[https://github.com/curl/curl/commit/188c2f166a20fa97c2325]] | Thu Apr 23 06:08:31 2026 \\ Wed Apr 29 06:01:23 2026 | 6.00 | April 29 | CVE-2026-6253 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-6276 (5/6) \\ [[https://www.openwall.com/lists/oss-security/2026/04/29/13|[oss-security] [ADVISORY] curl: CVE-2026-6276: stale custom cookie host causes cookie leak]] \\ [[https://github.com/curl/curl/commit/3a19987a87f393d9394fe5ac]] | Thu Apr 23 06:08:39 2026 \\ Wed Apr 29 06:01:27 2026 | 6.00 | April 29 | CVE-2026-6276 | | ||
| + | | curl | [vs-plain] : pre-notification curl CVE-2026-6429 (6/6) \\ [[https://www.openwall.com/lists/oss-security/2026/04/29/10|[oss-security] [ADVISORY] curl: CVE-2026-6429: netrc credential leak with reused proxy connection]] \\ [[https://github.com/curl/curl/commit/b4024bf808bd558026fdc6]] | Thu Apr 23 06:08:46 2026 \\ Wed Apr 29 06:01:19 2026 | 5.99 | April 29 | CVE-2026-6429 | | ||
| + | | Exim | [vs-plain] EXIM-Security-2026-04-24 \\ [[https://www.openwall.com/lists/oss-security/2026/04/30/21|[oss-security] Exim 4.99.2 fixes 4 CVEs]] | Fri Apr 24 15:09:46 2026 \\ Thu Apr 30 18:21:42 2026 | 6.13 | next Wednesday, 2026-04-29T12:00:00+0000 | CVE-2026-40684 \\ CVE-2026-40685 \\ CVE-2026-40686 \\ CVE-2026-40687 | | ||
| + | | OpenStack Cyborg | [vs] ... \\ [[https://www.openwall.com/lists/oss-security/2026/05/07/6|[oss-security] [OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40213, CVE-2026-40214)]] | Thu Apr 30 15:02:08 2026 \\ Thu May 07 18:27:34 2026 | 7.14 | 2026-05-07, 1500UTC | CVE-2026-40213 \\ CVE-2026-40214 | | ||
| ===== Source input data ===== | ===== Source input data ===== | ||
| Line 33: | Line 66: | ||
| * {{stats-202601.txt}} | * {{stats-202601.txt}} | ||
| * {{stats-202602.txt}} | * {{stats-202602.txt}} | ||
| + | * {{stats-202603.txt}} | ||
| + | * {{stats-202604.txt}} | ||