Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

To: debian-security@lists.debian.org
Subject: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
From: te3d4q@sigaint.org
Date: Thu, 13 Oct 2016 14:45:29 -0000
Message-id: <[🔎] 6ca3f98cbfa17cdc41760edaba19229e.webmail@localhost>
In-reply-to: <[🔎] 25fba864-908b-11e6-9b6a-00163eeb5320@msgid.mathom.us>
References: <[🔎] eae7d98cc7550642774010d3fa7fdfb4.webmail@localhost> <[🔎] slrnnvq0pp.grj.jmm@inutil.org> <[🔎] e13649a450ef6829f1f4d38cd6051e8d.webmail@localhost> <[🔎] 20161011210128.GA22554@inutil.org> <[🔎] 3cce61b9eed05dfe180e771e638706ca.webmail@localhost> <[🔎] 25fba864-908b-11e6-9b6a-00163eeb5320@msgid.mathom.us>

>
> To have an example, you'd need specifics. This is a hypothetical without
> a question. If the implicit question is "could this happen" the answer
> is yes, but you'd need to discuss a specific case to find out why.
>
> Mike Stone

As you asked me for a specific case, may I bring up CVE-2016-5696.

A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.
https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758)

Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security)

Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.

Are there reasons for the 23-day delay in providing end-users the patch?

To the best of my knowledge, Ubuntu advised its end-users on how to fix
the vulnerability way before Debian did.

Reply to:

Follow-Ups:
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>

References:
- Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: te3d4q@sigaint.org
- Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by Date: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Previous by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Next by thread: Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?
Index(es):
- Date
- Thread