* Michael Stone: > On Thu, Oct 13, 2016 at 02:45:29PM -0000, te3...@sigaint.org wrote: >>As you asked me for a specific case, may I bring up CVE-2016-5696. >> >>A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by >>Eric Dumazet (cf. >>https://github.com/torvalds/linux/commit/75ff39ccc1bd5d3c455b6822ab09e533c551f758) >> >>Ben Hutchings uploaded his work on the fix on August 12, 2016 (cf. >>https://anonscm.debian.org/cgit/kernel/linux.git/log/?h=jessie-security) >> >>Debian officially pushed out the fix on September 4, 2016 via DSA-3659-1. >> >>Are there reasons for the 23-day delay in providing end-users the patch? > > I don't know the specifics of this one but kernel updates are > generally kind of a mess and in this case we're talking about an issue > that basically boils down to a DoS for internet-facing hosts and for > which there existed a mitigation. I'm personally not too concerned > about the timeline.
Right. Debian kernel updates can only be applied with a reboot. If we publish a kernel update, its mere availability may put some of our users out of compliance with their policies, which is why we batch these updates.
