From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Bonzini Subject: Re: [RESEARCH] Patch delivery delay Date: Mon, 14 Sep 2015 22:24:31 +0200 Message-ID: <55F72CFF.8030305@redhat.com> References: <55F68C3B.7000701@stefan-geissler.net> <55F6E426.8030407@redhat.com> <55F71924.2040209@stefan-geissler.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE To: =?UTF-8?Q?Stefan_Gei=c3=9fler?= , kvm@vger.kernel.org Return-path: Received: from mx1.redhat.com ([209.132.183.28]:36313 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752226AbbINUYj (ORCPT ); Mon, 14 Sep 2015 16:24:39 -0400 In-Reply-To: <55F71924.2040209@stefan-geissler.net> Sender: kvm-owner@vger.kernel.org List-ID: On 14/09/2015 20:59, Stefan Gei=C3=9Fler wrote: >> >> There could be many reasons. For example the problem could be very >> minor, the patches could have problems, or a second patch was needed >> because the first fix was insufficient so. It's difficult to say >> without seeing the CVE and patch for the 183-day record. >=20 > The delay belongs to CVE-2013-4587. According to NVD the patch (a git > commit) was submitted on 2013-12-12 while the CVE number was assigned= on > 2013-06-12. >=20 > But since i have some cases in my dataset that show similar (~80% of > identified vulnerabilities are fixed within 100 days) behaviour i am > more interested in the general info you already provided. Actually there is a fourth reason: the CVE was not made public, not eve= n to other organization than the discoverer, for a long time. My data is that the CVE was assigned on 2013-06-12 but it was reported to the maintainers only on 2013-11-15. It took 27 days from 2013-11-15 to the release of the fix. Until the date of the report, what happened within the organization is effectively impossible to know. Most likely some kind of internal process failure. You can often go to a URL like https://bugzilla.redhat.com/show_bug.cgi?id=3DCVE-2013-4587 to see the date that the CVE was reported, since Red Hat creates meta-bugs for CVE= s in their products. Other Linux distros probably have something similar= =2E Paolo