* Michael Stone:
> On Thu, Oct 13, 2016 at 02:45:29PM -0000, te3...@sigaint.org wrote:
>>As you asked me for a specific case, may I bring up CVE-2016-5696.
>>A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by
>>Eric Dumazet (cf.
>>Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf.
>>Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1.
>>Are there reasons for the 23-day delay in providing end-users the patch?
> I don't know the specifics of this one but kernel updates are
> generally kind of a mess and in this case we're talking about an issue
> that basically boils down to a DoS for internet-facing hosts and for
> which there existed a mitigation. I'm personally not too concerned
> about the timeline.
Right. Debian kernel updates can only be applied with a reboot. If
we publish a kernel update, its mere availability may put some of our
users out of compliance with their policies, which is why we batch