[report] A look at the time Debian takes to fix a security vulnerability

[Javier Fernández-Sanguino Peña]

        As I said yesterday I wanted to prepare an answer to the question "How 
much
time does it take for Debian to fix a given bug?". I have made some analysis 
regarding
vulnerabilities detected and posted in bugtraq and those sent as DSAs.  It has 
taken
some more time than expected since the DSAs do not link directly to either 
Bugtraq's
database or CVE's (Security Team: please see below). But the answer is: 

"For the last year it has taken Debian an average of 35 days to fix 
security-related
vulnerabilites. However, over 50% of the vulnerabilities where fixed in a 
10-days time
frame, and over 15% of them where fixed the same day the advisory was released!"

So I would like to publicly (sp?) give a warm applause to the Debian Security 
Team
which is doing an excelent job!  

I adjoint some data:

- a Gnumeric spreadsheet with all the information
- a PNG graphic with this year's distribution of time-to-fix (in days) made by
gnuplot with the previous data 

A note for the Security Team: please add a new tag to the DSA's data: 
<define-tag bid>
and <define-tag cve> that would make it easier to

a) make this kind of analysis stuff
b) track down information regarding vulnerabilities

Many tools (like Nessus for example) link to Bugtraq so it's easier for users 
to have a
common reference. For example: Nessus says I have vuln XXX but I have installed 
the
patch advised in DSA which fixes it so I'm ok. 

I will try to take some time to do the same for other OS and pull out a 
comparative
(which might or might not make the results seem even best), problem is, 
however, that
this issues are difficult to automate (will try though) 

        Best regards
        
Javi

PS: Of course I have not investigated which reported vulnerabilities are still 
open
(are there any?), i.e. no DSA has been sent yet. 

‹3Ø<fixbugs.xmlíU÷W“Y×%QDt,HÁ+Š""ŠBt,[EMAIL PROTECTED] =     R
$È([EMAIL PROTECTED])º#Ü<挝¦å¯¡·|}Ýs´8~òºÓÑD?ëƒq²·ç#³cÞÿñ—qí'>˽¯Šu´b¸Œ
!U{E«z
y–›X|÷39fÆ¿À4Ôר£k‹K~¢…ù*~7ɳ*_–fZ„EÓ,ñ
.zӊgV'3`õf¹]],’—.[LÇVEš™E.…¯å4¹òú¬Ò©üUFk¥Ë͑nïμ.®‹Õnï$d¾MŽ7·²ô uy´vq¦eFá{+l!ßïxÄÉlñb“°¡?:[EMAIL
 PROTECTED]<+¶I)ÊÏjJwC´]ËÑ<m&8öaÖÏ6²D¿»_„AÛTNéŽd´c±UU=kœ¶3yzì*|ñ1chþ    
«/•%]N—˜òcċÜU:½Ý>ay˾¡Ïš6TÍÀÞ¾?2&V®Sîã6mìHÍÏFEóÜO˜Öí±òŠÓ`Ízg¸•¢Ã
írV/WÑZãV HûS—ïœF™¬
WÃù‚žs³Œ¦1ad´ ’?ÓHoB“ëÝû¨4PûÖmd¦\‡0ÌÉw¾r   
k.«]øþ™¿ú­è›b'Ó|gò8™¿º:¸m´óÀh_áD$’óQëáfo°*ätB{ww—wr&ÜÐHY,`}Zrn]Ÿœº.˜î!Ñ
ÕíÙ°ál›Z6Íôè];[EMAIL PROTECTED]
Ñ
³üÙ𷫁l†NV®"2ó$jðLŽº<2³O•‹Ë±ÿ<óe¬É<
uÒ騗×g½¼÷¿¡ŽŠŸ]H.u+¨ÔµG¨ ã¾¡äõV1d⽩ 02’oDD´Æ5û¢j÷Ï>žá4”öÒóÛ´¡´¢GµPÝômÞ'V×l¡I>­¨ª°ë™0,Šiçþƽ1$`O†¿y™„GAIÝ잯ÅTLDX>[EMAIL
 PROTECTED]&.Ð&6Ó$`è‚}#ï„ðykÏ¥þ­
sò¬Õ×F=%hE²(u

«ìsk¡!¡"4
Åÿ<+†îY{=2}¢Ü‹MxÍ/†®-çw~ÕÈîCp€v*ZÕéjøàù`Ñê{ògGñR
þöÎóò°b¿í|¹ÿÚK³;sgŽ˜soWyø`>BOF=ô|þù“ë5+|_CEB¦^7^õÞRª´°þèýêÒ×ðYׅÚ0±Ÿ:wžÛç
ú&oo“²J\†'[ÙSoœ‡W)¿&Í
Vhõ«_kÐ4±š|‡D†,”òçDžbŸ½μ¤{ºVñ…d3'š¨§)Œ÷* ïÒªH&ë¨,ûâ€t+}àsxÝâÔ/ðèW‚iXNP§öÄl¤^v¸à
ràH,–Þ—Q{FTŸG)ÑÃ{´Z›”òèb½     ,”>…WZe ü`RÈgœçwAƒHÔ¿½;[^‰        
ÂD=·«¨ð½¶F)’ËО%×B·¨4PÞ\:ؑÛa›Ã¸ñXc«
g<Wèc¹íèٳĥÃCeþ6ð§ÈâÁ
V]«ú|̟ÐDŽõ°’åj
´ÒîTñ㼝КcSRÄ´8É{>˜
/¶à-ÔX›~¹\­Ç¸šò   
½ù$±ºÙr³~=>MQèÎÁòDŠXÜtè#Ŕ¨a÷†ô±þùށ±Ár†ÀÙV:¬ó‘ZEp
[EMAIL PROTECTED]»šÔçŸK®tºêÂ3é«w0ù­´OÅa 
£™cÿrIØW‹ü[%’-º×ŸßÂÂV7CÈÏM?hÈ/µ¾q¯:Rà‹–,am­Ñë÷W“óö˜f©˜KŽdÀaµ¨Â{Ԝ#Ôu§Ò
ӏ‘Œå­Âõ€³‘ôÁ€
Ò.–
        Qúf‘ÀÉp]1ùXoC}9Fk;ËR‘B´†
–Ò„ËV¯—SîoT‡±t¦9Å傿Ëã¤j`hç%µÒz“PNZ
,’ÑÐÀº\½5ŠÁ¶w
+)§F`ƒ~íÎé”õu[
QúåC׫\àï#æš<çdl^–-ÛÐq?t0…öë.S-Wú9BXSo³1x½±KÄj¨Ò‡Ý~í4"e=q#¾Ñ`à0¯¬X’
 ÒI¯w5í+eß¹ÏÖxWã&>TZïN]e9ᝅÁeˆ²Ðnßî
…Zƒ~ÚøYT[µ^¹sô½:W†Fò
“gZúµ,ª¿ÞUËq(kS¯žÿ¶Pwý
&Y îô…•;Û$”s`ŠÂu_XÅ°ÙOeæRëüÒz;rm0¯,êc½ðçfþX 
[ÛE¨SoM”¾6\Tí8gùå[kn:™ýҟ¯4C¬Ž2-㬗"íá}َL½3‡«I½]Èx
{cå¥àwÎrÄGŽe_½µÐ‚óäH¸ÃNfÖ¸'‰(úý›•]SX¶^¾Q¢`ÃZH·^"
,8‡«=FON¨ÙõÀ°Ã~+õÆšù¶™°rÄóP‚5W7-[ø-©9P¸<¯ú÷Gjqob7v¥Öy¤—²Œmªå½Ÿq¯ŒÖ™¯7ß}i_÷Ûm8ÏÊÊ3®¡s¤Ž’AZŸLË7çÒ—ÞÎô‰‘o++…üÅɉ²9ÑúêëCTƒµ™
 :cb×,›BÕB¥…"¼…z{+ËÕÃÚúWö,Œå´Nš¬V$ð¨(þ
XÔbNî‡v=d%      ÉÏ1A®}%Í­ºúx¢óUŸìF‡g¾1¤ìæýavÃЖ²':XÖ9eoÊàYg
_֋‰LAUó]߸š7ü¶3?±à÷m¼öæ&{ò
1îQCÊÆšZ;M¾¦Š¤‹‹fOš°ÛQåøöB´½^ Få°àëxÀ°;[EMAIL 
PROTECTED]: tи.DX£Q€†F¯,øL{ÍÏr (Ã-
s̞JÑGyt«ßpzœf%"µGÑ>,È Ah_¸§ÂmõCïĽõˆKï`D²Z½—‡ÓxbÎ\
³±Aûˆ­#‡8°_WLÙknª(
/Z´Æ¤îþ¼<<r[WoUMEGÅËУžT¨*I<ª.lŒ…ò„}µ¡¤j=
qøSZù2i~x:wc¸Ì{‰xe4
rὅMNÚLÁö­Ì†íuZi¯…”•    
™.c¾(m¦t{Í¢³`;}\”–©¥ôæÌæ:gïWá^´têè×:&ɜ”.“Z4ŸmGˆ-†6ºœ‡%]4×yéšæðÊ1é|…U)fýpPx7)i<ÂÜæS…VšÑ­4#¿ªí—¯%¡!–ãîù™+¤–¾íÝR-Ž8‚ô;vîq;¤º¶Ù*¥9ÌÁ’ÈÝ&[EMAIL
 PROTECTED]'ÉÒO”7Ê
öˆ[qÀߚ‚ðöèÏ#*ÈK3<àÕêçTÌ1/ÌÙscësJ±z\MkïýZÀ±vTxÑ£Ðrì“ß©Ì7
R,ýgÜg1…íÒNz%Œ‘Ëw­ñJíø‘´È¥PvÙ_
ytƒÓ¸ÿ/̵³[L–÷zøתÛ³”jܬ‰ˆLé½úÏež„\Q2݂7B!¦0áÐúóÑ{®á+”7
ÛöÀõëõÀÌ\98vÄ(óäьÍYa¸pÔ6§ã%Œ¼+’–Êzš8
jÒ9¹û¦Ò<‰ZÞ«å×ù‡‰Á–Wž
×ϒeBu¨~ȁØ+]ÃÛ~[Û˚¸®,µ®l só²?Õ·£±sç‡ü-Ya
Fbï
¨GÙ²—|È!
æE{H7   
»˜Õ(dgFØCx›…ᨶ_2~VÒ¨z…Ì÷‰žR_<§Â¶0ýS”\=˜¯ŸŠtké?³zÙ}?î[¡¬ÇÏSjcøÇtÉ+:?ó
óÔjÖtÔF×aùodŸÌoÉZ1ãÍ0eïöi;‹õMHR»$ü6;·í£Þ‚\Pýé‰K˜Dµ¯s+1;®ìãª_¢ÜÝ¶Ï·zß­‹LžCÈdLµw­:6Ê]ø)Œó°ûÒÄ{ä°DMA)c×ãmïå6{÷8]8\$ï}îþF?^±?O9«m*ï:ìúö
TÁA¢búvÙ2E~‰r·å$dWPù’ê£y³`ÅՃÖï(D·FɃa.Ð>®éÉ
šgỲü«
L¢ÕYÇäŒQ
EØi:fp
ÂUW¿qa“‰Þý֙/Œƒ®2myՃý;¼¿Lº-tTÚVÞ!)‘;ì5I©‹‰PTT”²‹   
ݽŠ»ÚF§GªîßßoiC¾pßßý7é–Í·pÛxÍjagpãÀû˜ˆSØyi²I4]N‘w€T Jì„’ëÔ§2åt›Ÿ1r÷ٛ
!óÜ.©s¼þr–¬
 ã¶Üjt֏o¿Gߊž:ý©b¿ûÈíÆií>
ÿÔ»í
Šƒ°²OŽÊèI–Ïû¾Œ~î¯CE×A·m,u¿ÄN%Sr[çÝ=šìq/âcª\§.JWg“+%¿nÌQÄÎI<«_ߖ¨vý)þÃÅ'‡ijþäùbÆÕüdéÞBÑ:êÖ3§F‡µÓ#•ƒò¤k®0àT›‚Û7"[È-n]P•ÙÆt–l.?rßMxYÂВ
§Û€û4G6?†<¿&}󤄧ËÎs—9R>O=ö÷ØM¯ßÏóÙy~àY؞
  
•¡D8ömsi„¹Bif¼ú}KI:ÚeHѤrsc§Ö®sï(Z»îš3{ݘ½Nwr"%{­âoq”8ÍÇÇ!Ǹšc’•‰ʼn¾²Ñ+5³3Ñ!KÆcj
¢øhï¶#¼ƒ¤ÒúF®äñÿæ"ê·Pk?—ƒc&¤âG=š1´
Վìø–3òF,–…·I8ªèÏg^,¶ÚjéY8±80sBs«+¾Ÿ¹.:¥tiµzÏá2É.\l–¢Ô̆ñ‹yM¶·¨ùíTR:ï¾}£E


Ú'õ߇dcϾ[¡xœ0ãº52¶ësq[È++Öd›jµgS©dÿ±e;•¶«Ÿ{ž9ø¶Rj®'ÍöÚU'ÆÔ# ÚëK£‰%²=Å|骖™»Œ§™ükÿƒî#úDו¼ÅÙèлÛ+$]©ýNw”M~°[1¶Í­
     [EMAIL 
PROTECTED]@zk-¶¥ò£ZGà$#©sv§Çgf²ŠTßÿÉ?V`¹Ë`>æp1w®îS+êf²ÔÞVeCL01å“üÞÖ¯1Ø©»šOÈRvl2ÐØtS7èïÓ³#'[Wòj¢gÿ®²š$ï‡?Ù\«‰Ù¹7ÿ›cô?Y’¸>’1ºŸ†àX£¸]/­£bT{tx‰Òýˆ©æ˜]Aï(çw5Îé~ÂbcNA”
[EMAIL PROTECTED]
QX ñÎyëØî\™^¨ß–i;§?•££_˝–ĬîáÛº¹©“cx¶…²BSô°Á—zxw½•½ùì!öïë™"¿€ŸGŒ|»§jž_MW’Ý_¡—ãÄ¡z~È 
   ¥ƒ뛺u¤«e*„ÔĪß÷qqFš£uzBj«½ö>É»r†à^†q]~J‹e¡§ÎûȽvßÑII6Ò
ý{Ó\¹Üªßàã_:§ìLª”£÷ý¬Ð¡µ:‘x¸·ñ›åñÛ_#ÄÏ*ìqç3žå5”LC.C
}‚‰–ƒ±Ñ§>m¥c*.mzòTÖï §ÄUp”k¯ÓM
õÅڑ«/j^Þ7v‘ú¶òGkòå}÷núCè$Wàôj°V7™rn³Ñeó‘Ÿb²ì!³oW"„Ë÷‡øïÛn·ìþãÇÿ¤­I
¼*wñ‰î–À¦¦NbLí?'`¶~ºwv½¹æNœY#‘?««Y_[³h¼Ù›»ax‡•ÿí
r½~íNÜ%ñ…¹«léÎh€î¨h
¿k·
YŒÝɃ\¾³B§£ÞEÙvËV=jZœáhºöpêgœ¯ñ¢—àg”õÚyî™–#½íq1¼áž<U5ç'ÎW.Qs"+G%wyù‹ó¥\øÃV‘›2+[Û9’ɯ۵aÈÅ/[MýDÅïPÖ6
âOdªFƒÐ„©ÕÕêÑNØmÕp€¶Â²Â z¼¶ÐuyÝFñèô
iJ‹Š¶xn°ðD÷¢Xa椿×\ñ`ºúR××qB˜%*üõéuÙ|UñÔz˜òa/*vÂ*pmÚ´¨¢Úð؊ƒ®ÅNìVmh^4ùP&ºהqÐæÅ݁k2ª(H;¬qQq|¸vÞH´Oµ¥öçbFàPEÉ´+rÃ6{kãùN®éº‰Ò¡.g6€ÎÑíS
[þ]9–ïÔ´Væ*²;†:[EMAIL
 PROTECTED])Q¿,KîÔør<ÁUÁTݞ{þYð/!
I]M3ªÉÿÀ¹…gÁ?äÆͨ>éjšýŽçž/
~¢Õõ´ øàŒªœ1:¶Ëí—écïùë´ü¬ª…
1ú÷®§œUÕ1Fcºž>.8ë}U;›ž4òìAïœ(N™zÕóÄ0›~)xÐûª
ͧð_u³éÏþmàœ(ΝzEšM¿<èsՄæSü¯ˆ¹>W½²éYS!EÿêüáÉQï«»OoͦËÐfc§Bο-ø7dB,般X
 tâ€E€Ç
L āŽ8ÀŠrñ@'XÄx<ÀÄB<般x —t€E€'L [EMAIL PROTECTED]:Ö 
‡:h`p4À 


:Ѐ…r‰@'X$x"À$B"èH¬D —t’€E€'
L $Ž$ÀJr ƒ
Ç0 X 
‡:X`p,À`

:°€…rÉ@'X$x2À$B2èH¬d —tR€E
ۤL
 ¤€ŽÀJ
r8 ƒ8Ç
p X8 ‡:x`p<Àà

:[EMAIL PROTECTED]:ÖC —
tRE*€§L* 
¤‚ŽTÀJUæ½KŽ¼uÉôx¡zÖoøÎ枽Zßåïòwù»ü¯ËI‘·ž©g½0?ð~§ßéwúÿ §yïžDÞºjz¼X=ë:¾³Ä|ªW+ø»ü?•¹Î¦•DÝOֈ~Íd¨yÑo›:›!_½6~ÍG®Ñ«Ä<2Ô¬­ݎä5Ú×"^ß^Q\:°øc“ÞÈzöq«„÷Ðò¶»ü
   EîñWÄòWND]äHžU·^:Ö\Öþº#tÛw¯nosž˜Rf¸Ô7=ŠK/lÂFZkè²'2
í3HŽ\   v”a(æ3ü–¹£kÚÊVН(I‰ÿ4Ü3·#

fixdistrib.png.gz
Description: PNG graphic showing the distribution of time-to-fix (in days)