On Thu, Oct 13, 2016 at 02:45:29PM -0000, te3...@sigaint.org wrote:
As you asked me for a specific case, may I bring up CVE-2016-5696.

A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
Eric Dumazet (cf.

Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.

Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.

Are there reasons for the 23-day delay in providing end-users the patch?

I don't know the specifics of this one but kernel updates are generally kind of a mess and in this case we're talking about an issue that basically boils down to a DoS for internet-facing hosts and for which there existed a mitigation. I'm personally not too concerned about the timeline.
Mike Stone

Reply via email to