Re: [RESEARCH] Patch delivery delay

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: "Stefan Geißler" <info@stefan-geissler.net>, kvm@vger.kernel.org
Subject: Re: [RESEARCH] Patch delivery delay
Date: Mon, 14 Sep 2015 17:13:42 +0200	[thread overview]
Message-ID: <55F6E426.8030407@redhat.com> (raw)
In-Reply-To: <55F68C3B.7000701@stefan-geissler.net>

On 14/09/2015 10:58, Stefan Geißler wrote:
> 
> I am currently analyzing the delay between vulnerability disclosure (CVE
> release) and the release of a corresponding patch.
> 
> Firstly, i noticed that some vulnerabilities are patched before the CVE
> was assigned. How is that possible? Was the vulnerability "accitendally"
> fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22)

Yes, the vulnerability was not recognized as such.  The CVE is then
typically assigned when a Linux distribution decides to backport the fix.

> Second, does someone know why some vulnerabilities get a fix on CVE
> release day while some only recieve a fix after weeks or even month?
> (Maximum delay I observed is 183 days)

There could be many reasons.  For example the problem could be very
minor, the patches could have problems, or a second patch was needed
because the first fix was insufficient so.  It's difficult to say
without seeing the CVE and patch for the 183-day record.

Paolo

next prev parent reply	other threads:[~2015-09-14 15:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-14  8:58 [RESEARCH] Patch delivery delay Stefan Geißler
2015-09-14 15:13 ` Paolo Bonzini [this message]
2015-09-14 18:59   ` Stefan Geißler
2015-09-14 20:24     ` Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55F6E426.8030407@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=info@stefan-geissler.net \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.