* [RESEARCH] Patch delivery delay
@ 2015-09-14 8:58 Stefan Geißler
2015-09-14 15:13 ` Paolo Bonzini
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Geißler @ 2015-09-14 8:58 UTC (permalink / raw)
To: kvm
Hello all,
I am currently analyzing the delay between vulnerability disclosure (CVE
release) and the release of a corresponding patch.
Firstly, i noticed that some vulnerabilities are patched before the CVE
was assigned. How is that possible? Was the vulnerability "accitendally"
fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22)
Second, does someone know why some vulnerabilities get a fix on CVE
release day while some only recieve a fix after weeks or even month?
(Maximum delay I observed is 183 days)
Regards,
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RESEARCH] Patch delivery delay
2015-09-14 8:58 [RESEARCH] Patch delivery delay Stefan Geißler
@ 2015-09-14 15:13 ` Paolo Bonzini
2015-09-14 18:59 ` Stefan Geißler
0 siblings, 1 reply; 4+ messages in thread
From: Paolo Bonzini @ 2015-09-14 15:13 UTC (permalink / raw)
To: Stefan Geißler, kvm
On 14/09/2015 10:58, Stefan Geißler wrote:
>
> I am currently analyzing the delay between vulnerability disclosure (CVE
> release) and the release of a corresponding patch.
>
> Firstly, i noticed that some vulnerabilities are patched before the CVE
> was assigned. How is that possible? Was the vulnerability "accitendally"
> fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22)
Yes, the vulnerability was not recognized as such. The CVE is then
typically assigned when a Linux distribution decides to backport the fix.
> Second, does someone know why some vulnerabilities get a fix on CVE
> release day while some only recieve a fix after weeks or even month?
> (Maximum delay I observed is 183 days)
There could be many reasons. For example the problem could be very
minor, the patches could have problems, or a second patch was needed
because the first fix was insufficient so. It's difficult to say
without seeing the CVE and patch for the 183-day record.
Paolo
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RESEARCH] Patch delivery delay
2015-09-14 15:13 ` Paolo Bonzini
@ 2015-09-14 18:59 ` Stefan Geißler
2015-09-14 20:24 ` Paolo Bonzini
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Geißler @ 2015-09-14 18:59 UTC (permalink / raw)
To: Paolo Bonzini, kvm
>> I am currently analyzing the delay between vulnerability disclosure (CVE
>> release) and the release of a corresponding patch.
>>
>> Firstly, i noticed that some vulnerabilities are patched before the CVE
>> was assigned. How is that possible? Was the vulnerability "accitendally"
>> fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22)
>
> Yes, the vulnerability was not recognized as such. The CVE is then
> typically assigned when a Linux distribution decides to backport the fix.
>
>> Second, does someone know why some vulnerabilities get a fix on CVE
>> release day while some only recieve a fix after weeks or even month?
>> (Maximum delay I observed is 183 days)
>
> There could be many reasons. For example the problem could be very
> minor, the patches could have problems, or a second patch was needed
> because the first fix was insufficient so. It's difficult to say
> without seeing the CVE and patch for the 183-day record.
The delay belongs to CVE-2013-4587. According to NVD the patch (a git
commit) was submitted on 2013-12-12 while the CVE number was assigned on
2013-06-12.
But since i have some cases in my dataset that show similar (~80% of
identified vulnerabilities are fixed within 100 days) behaviour i am
more interested in the general info you already provided.
Stefan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RESEARCH] Patch delivery delay
2015-09-14 18:59 ` Stefan Geißler
@ 2015-09-14 20:24 ` Paolo Bonzini
0 siblings, 0 replies; 4+ messages in thread
From: Paolo Bonzini @ 2015-09-14 20:24 UTC (permalink / raw)
To: Stefan Geißler, kvm
On 14/09/2015 20:59, Stefan Geißler wrote:
>>
>> There could be many reasons. For example the problem could be very
>> minor, the patches could have problems, or a second patch was needed
>> because the first fix was insufficient so. It's difficult to say
>> without seeing the CVE and patch for the 183-day record.
>
> The delay belongs to CVE-2013-4587. According to NVD the patch (a git
> commit) was submitted on 2013-12-12 while the CVE number was assigned on
> 2013-06-12.
>
> But since i have some cases in my dataset that show similar (~80% of
> identified vulnerabilities are fixed within 100 days) behaviour i am
> more interested in the general info you already provided.
Actually there is a fourth reason: the CVE was not made public, not even
to other organization than the discoverer, for a long time. My data is
that the CVE was assigned on 2013-06-12 but it was reported to the
maintainers only on 2013-11-15. It took 27 days from 2013-11-15 to the
release of the fix.
Until the date of the report, what happened within the organization is
effectively impossible to know. Most likely some kind of internal
process failure.
You can often go to a URL like
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4587 to see the
date that the CVE was reported, since Red Hat creates meta-bugs for CVEs
in their products. Other Linux distros probably have something similar.
Paolo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-14 20:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-14 8:58 [RESEARCH] Patch delivery delay Stefan Geißler
2015-09-14 15:13 ` Paolo Bonzini
2015-09-14 18:59 ` Stefan Geißler
2015-09-14 20:24 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).