Hi Nils, Ubuntu's security team does not use upstream assessments of severity when assigning priorities. Our criteria are enumerated at http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L191 .
Upstream estimates of severity are usually focused strictly on the service at hand while we need to prioritize our work across more than ten thousand sources. This doesn't mean upstream severities are wrong, but we must have some way to prioritize our work that's consistent. The CVE tracker does indeed trigger the process to issuing security updates. You can see this process at https://usn.ubuntu.com/usn/ where we have issued 290 USNs so far this year. Less visible is the sponsored updates to universe packages in collaboration with the community, which do not get USNs. We do not have service level agreements for security updates. Even if such a thing were feasible for our team we believe this would be counter-productive to overall security as many upstreams issue regression fixes after security fixes get wider coverage. Seven months for an issue with an upstream-provided patch is indeed too long. We have recently hired a new team member; while his duties are primarily providing extended support for 12.04 LTS to Ubuntu Advantage customers, he will also perform additional updates and generalist duties as time allows. In addition, while it doesn't happen often, we are happy to sponsor updates for packages in main. It would probably be best to check in with us before beginning work on a sponsored update to ensure (a) we'd be interested in the approach (b) that it wouldn't be duplicating work. For more information see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures . This may help bring a specific update to our users more quickly. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1706900 Title: CVE-2016-9877 RabbitMQ authentication vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs