[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Guidance for CVE triage and listing packages in dla-needed.txt

Hi Chris and Raphael

Raphael, I'll comment on your things in a separate email. This is to
corre/check the statistics.

It could very well be a counting error. That is why I wrote how I did it.
To check a little I checked out the list from 1 st of january 2023.

ola@tigereye:~/git/security-tracker/data/CVE$ ./crunch.sh
YEAR CVES EOL NA NODSA POST IGN FIX
2023          1      1     0           0        0      0   0
2022    1226   416 333      292      41    33 111
2021    1413   260 264      458     31    111 289
2020    1086       5 160      392     46     92 391
2019    841         0   66      273     13     81 408

Compare this to this year

YEAR CVES EOL NA NODSA POST IGN FIX
2023   1260  382  410     281      71     58   58
2022   1328  473  395     209      49     76 126
2021   1521  284  424     329     24      93 367
2020   974        5   80      294     38      55 402
2019   765        0   71      199     11      75 409

You can see that in 1 year and 3 months we have fixed
2023: 58
2022: 15
2021: 78
2020: 11
2019: 1

Total (not counting CVEs for 2018 and earlier) 162.

It is still a low number.

And I think I found the counting mishap. :-)

When a CVE is fixed, the buster tag is removed. :-D

So what did this show? It was the number of packages for which a CVE
was already fixed with the version we had in buster.

New statistics here:
ola@tigereye:~/git/security-tracker/data/CVE$ ./crunch.sh
YEAR CVES CORR EOL NA NODSA POST IGN FIX
2023 1507 247 382 410 281 71 58 58
2022 1734 406 473 395 209 49 76 126
2021 2005 484 284 424 329 24 93 367
2020 1595 621 5 180 294 38 55 402
2019 1324 559 0 71 199 11 75 409

ola@tigereye:~/git/security-tracker/data/CVE$ ./crunch.sh
YEAR CVES CORR EOL NA NODSA POST IGN FIX
2023 2 1 1 0 0 0 0 0
2022 1489 263 416 333 292 41 33 111
2021 1774 361 260 264 458 31 111 289
2020 1617 531 5 160 392 46 92 391
2019 1352 511 0 66 273 13 81 408

So how many did we in fact fix?

559+621+484+406+247-1-263-361-531-511=650

That is a much larger number. Phew. I should have checked it myself
because I also found it a little strange.

The total number of buster CVEs were 8165.

We still have 281+209+329+294+199=1312 no-dsa and 71+49+24+38+11=193 postponed.

We clearly do not fix all no-dsa in any case.

// Ola


On Wed, 10 Apr 2024 at 13:06, Chris Lamb <lamby@debian.org> wrote:
>
> Raphael Hertzog wrote:
>
> > Those numbers are quite surprising. I hope there's some error somewhere
> > otherwise I wonder what has been done in the 2400+ hours paid each year to
> > work on LTS... I'm pretty sure we have fixed more than 58 CVE. The average
> > month has 20 to 30 updates (see
> > https://lists.debian.org/debian-lts-announce/2024/03/threads.html for
> > example).
>
> Mmm, I highly suspect some counting mishap here. A quick, dirty (and
> likely inexact) grep across my last 12 LTS reports indicates I alone
> have addressed over 40.
>
>
> Regards,
>
> --
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
>        `-
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: