On 14/09/2015 10:58, Stefan Geißler wrote: > > I am currently analyzing the delay between vulnerability disclosure (CVE > release) and the release of a corresponding patch. > > Firstly, i noticed that some vulnerabilities are patched before the CVE > was assigned. How is that possible? Was the vulnerability "accitendally" > fixed? (Example: According to NVD CVE-2013-1943 was fixed on 2011-05-22) Yes, the vulnerability was not recognized as such. The CVE is then typically assigned when a Linux distribution decides to backport the fix. > Second, does someone know why some vulnerabilities get a fix on CVE > release day while some only recieve a fix after weeks or even month? > (Maximum delay I observed is 183 days) There could be many reasons. For example the problem could be very minor, the patches could have problems, or a second patch was needed because the first fix was insufficient so. It's difficult to say without seeing the CVE and patch for the 183-day record. Paolo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
