On Thu, Oct 13, 2016 at 02:45:29PM -0000, te3...@sigaint.org wrote:
As you asked me for a specific case, may I bring up CVE-2016-5696.

A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.
https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758)

Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security)

Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.

Are there reasons for the 23-day delay in providing end-users the patch?

I don't know the specifics of this one but kernel updates are generally kind of a mess and in this case we're talking about an issue that basically boils down to a DoS for internet-facing hosts and for which there existed a mitigation. I'm personally not too concerned about the timeline.
Mike Stone

Reply via email to