[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [RESEARCH] Security patch delivery delay

On Mon, 2015-09-14 at 11:06 +0200, Stefan GeiÃler wrote:
> Hello xen-users,
> I am currently analyzing the delay between vulnerability disclosure (CVE 
> release) and the release of a corresponding patch.
> First, i noticed that some vulnerabilities are patched before the CVE 
> was assigned. How is that possible? Was the vulnerability "accitendally" 
> fixed? (Example: According to NVD CVE-2011-2519 was fixed on 2008-02-05)

For this specific example 
http://www.openwall.com/lists/oss-security/2011/08/30/1 seems pretty clear
as to the reasons for this.

> Second, does someone know why some vulnerabilities get a fix on CVE 
> release day while some only recieve a fix after weeks or even month? 
> (Maximum delay I observed is 241 days)

When the Xen Project (pre)discloses a vulnerability we ask Mitre for a CVE
at the same time. There have been instances where there have been long
delays in receiving a reply. There is no point in holding onto a fix (and
leaving users vulnerable) just waiting for a number to be assigned

I suppose there are also instances where the security impact of a fix was
not recognised until later, in which case a CVE might be retroactively

I don't think any of that is especially specific to the Xen Project, I
think the issue is simply that CVE release does not precisely correspond to
vulnerability disclosure for a variety of reasons.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.