[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] [RESEARCH] Security patch delivery delay

To: Ian Campbell <ian.campbell@xxxxxxxxxx>, xen-users@xxxxxxxxxxxxx
From: Stefan GeiÃler <info@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Sep 2015 12:20:41 +0200
Delivery-date: Mon, 14 Sep 2015 10:20:55 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

On Mon, 2015-09-14 at 11:06 +0200, Stefan GeiÃler wrote:

Hello xen-users,

I am currently analyzing the delay between vulnerability disclosure (CVE
release) and the release of a corresponding patch.

First, i noticed that some vulnerabilities are patched before the CVE
was assigned. How is that possible? Was the vulnerability "accitendally"
fixed? (Example: According to NVD CVE-2011-2519 was fixed on 2008-02-05)


For this specific example
http://www.openwall.com/lists/oss-security/2011/08/30/1 seems pretty clear
as to the reasons for this.

Second, does someone know why some vulnerabilities get a fix on CVE
release day while some only recieve a fix after weeks or even month?
(Maximum delay I observed is 241 days)


When the Xen Project (pre)discloses a vulnerability we ask Mitre for a CVE
at the same time. There have been instances where there have been long
delays in receiving a reply. There is no point in holding onto a fix (and
leaving users vulnerable) just waiting for a number to be assigned

I suppose there are also instances where the security impact of a fix was
not recognised until later, in which case a CVE might be retroactively
assigned.

I don't think any of that is especially specific to the Xen Project, I
think the issue is simply that CVE release does not precisely correspond to
vulnerability disclosure for a variety of reasons.

That explains, why some delays are negative. But some vulnerabilitiesget patched/receive an advisory only some time AFTER the CVE release. Inthat case, the vulnerability is already public but a patch has not beenpublicly released yet. Is there a reason that some vulnerabilities getfixed faster than others? (severity, impact type, complexity, ...). Andwhy are vulnerabilities publicly disclosed if no patch is available?

For example CVE-2012-3497 has been assigned on 2012-06-14. The advisory(XSA-15) has been released on 2012-09-05. This results in a delay of 83days between CVE assignment and advisory release.


Regards,
Stefan

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

References:
- [Xen-users] [RESEARCH] Security patch delivery delay
  - From: Stefan GeiÃler
- Re: [Xen-users] [RESEARCH] Security patch delivery delay
  - From: Ian Campbell

Prev by Date: Re: [Xen-users] XEN 4.4 Freezes after long period of inactivity
Next by Date: Re: [Xen-users] [Xen-devel] ANNOUNCEMENT: Xen 4.6 RC3
Previous by thread: Re: [Xen-users] [RESEARCH] Security patch delivery delay
Next by thread: [Xen-users] XEN 4.4 Freezes after long period of inactivity
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.