> To have an example, you'd need specifics. This is a hypothetical without
> a question. If the implicit question is "could this happen" the answer
> is yes, but you'd need to discuss a specific case to find out why.
> Mike Stone
As you asked me for a specific case, may I bring up CVE-2016-5696.
A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.
Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.
Are there reasons for the 23-day delay in providing end-users the patch?
To the best of my knowledge, Ubuntu advised its end-users on how to fix
the vulnerability way before Debian did.