From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Bonzini Subject: Re: [RESEARCH] Patch delivery delay Date: Mon, 14 Sep 2015 17:13:42 +0200 Message-ID: <55F6E426.8030407@redhat.com> References: <55F68C3B.7000701@stefan-geissler.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE To: =?UTF-8?Q?Stefan_Gei=c3=9fler?= , kvm@vger.kernel.org Return-path: Received: from mail-wi0-f181.google.com ([209.85.212.181]:33035 "EHLO mail-wi0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755492AbbINPNr (ORCPT ); Mon, 14 Sep 2015 11:13:47 -0400 Received: by wiclk2 with SMTP id lk2so145343257wic.0 for ; Mon, 14 Sep 2015 08:13:46 -0700 (PDT) In-Reply-To: <55F68C3B.7000701@stefan-geissler.net> Sender: kvm-owner@vger.kernel.org List-ID: On 14/09/2015 10:58, Stefan Gei=C3=9Fler wrote: >=20 > I am currently analyzing the delay between vulnerability disclosure (= CVE > release) and the release of a corresponding patch. >=20 > Firstly, i noticed that some vulnerabilities are patched before the C= VE > was assigned. How is that possible? Was the vulnerability "accitendal= ly" > fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-= 22) Yes, the vulnerability was not recognized as such. The CVE is then typically assigned when a Linux distribution decides to backport the fi= x. > Second, does someone know why some vulnerabilities get a fix on CVE > release day while some only recieve a fix after weeks or even month? > (Maximum delay I observed is 183 days) There could be many reasons. For example the problem could be very minor, the patches could have problems, or a second patch was needed because the first fix was insufficient so. It's difficult to say without seeing the CVE and patch for the 183-day record. Paolo