Re: [RESEARCH] Patch delivery delay

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: "Stefan Geißler" <info@stefan-geissler.net>, kvm@vger.kernel.org
Subject: Re: [RESEARCH] Patch delivery delay
Date: Mon, 14 Sep 2015 22:24:31 +0200	[thread overview]
Message-ID: <55F72CFF.8030305@redhat.com> (raw)
In-Reply-To: <55F71924.2040209@stefan-geissler.net>

On 14/09/2015 20:59, Stefan Geißler wrote:
>>
>> There could be many reasons.  For example the problem could be very
>> minor, the patches could have problems, or a second patch was needed
>> because the first fix was insufficient so.  It's difficult to say
>> without seeing the CVE and patch for the 183-day record.
> 
> The delay belongs to CVE-2013-4587. According to NVD the patch (a git
> commit) was submitted on 2013-12-12 while the CVE number was assigned on
> 2013-06-12.
> 
> But since i have some cases in my dataset that show similar (~80% of
> identified vulnerabilities are fixed within 100 days) behaviour i am
> more interested in the general info you already provided.

Actually there is a fourth reason: the CVE was not made public, not even
to other organization than the discoverer, for a long time.  My data is
that the CVE was assigned on 2013-06-12 but it was reported to the
maintainers only on 2013-11-15.  It took 27 days from 2013-11-15 to the
release of the fix.

Until the date of the report, what happened within the organization is
effectively impossible to know.  Most likely some kind of internal
process failure.

You can often go to a URL like
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4587 to see the
date that the CVE was reported, since Red Hat creates meta-bugs for CVEs
in their products.  Other Linux distros probably have something similar.

Paolo

     prev parent reply	other threads:[~2015-09-14 20:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-14  8:58 [RESEARCH] Patch delivery delay Stefan Geißler
2015-09-14 15:13 ` Paolo Bonzini
2015-09-14 18:59   ` Stefan Geißler
2015-09-14 20:24     ` Paolo Bonzini [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55F72CFF.8030305@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=info@stefan-geissler.net \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.