Re: DSA 438 - bad server time, bad kernel version or information delayed?

[Florian Weimer <fw@deneb.enyo.de>]

Jean Christophe ANDRÉ wrote:

> I can see on http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
> that this is still a candidate, but assigned since 2004.01.19, so this is
> probably ok...

Candidate name assignment can occur in blocks.  It's not necessary that
a name is associated with a particular vulnerability on the day it was
assigned.  Therefore, the assignment date is not a reliable indicator
for the date the vulnerability was discovered or disclosed to vendors.

> But, it would be better if this "for security reasons" delay had been
> made clear into the announcement, IMHO.

Yes, disclosure timelines are interesting, sometimes downright shocking
(look at a few timelines from iDefense).