> > To have an example, you'd need specifics. This is a hypothetical without > a question. If the implicit question is "could this happen" the answer > is yes, but you'd need to discuss a specific case to find out why. > > Mike Stone
As you asked me for a specific case, may I bring up CVE-2016-5696. A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by Eric Dumazet (cf. https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758) Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf. https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security) Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1. Are there reasons for the 23-day delay in providing end-users the patch? To the best of my knowledge, Ubuntu advised its end-users on how to fix the vulnerability way before Debian did.
