Litcius/Paper detail

Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects

Xin Tan, Yuan Zhang, Jiajun Cao, Kun Sun, Mi Zhang, Min Yang

2022Proceedings of the ACM Web Conference 202214 citationsDOI

Abstract

Since the users of open source software (OSS) projects may not use the latest version all the time, OSS development teams often support code maintenance for old versions through maintaining multiple stable branches. Typically, the developers create a stable branch for each old stable version, deploy security patches on the branch, and release fixed versions at regular intervals. As such, old-version applications in production environments are protected from the disclosed vulnerabilities in a long time. However, the rapidly growing number of OSS vulnerabilities has greatly strained this patch deployment model, and a critical need has arisen for the security community to understand the practice of security patch management across stable branches. In this work, we conduct a large-scale empirical study of stable branches in OSS projects and the security patches deployed on them via investigating 608 stable branches belonging to 26 popular OSS projects as well as more than 2,000 security fixes for 806 CVEs deployed on stable branches.

Topics & Concepts

Software deploymentComputer securityComputer scienceSoftware security assuranceWork (physics)Scale (ratio)Security managementApplication securitySoftwareBusinessSoftware engineeringInformation securityEngineeringSecurity serviceOperating systemGeographyMechanical engineeringCartographySoftware Engineering ResearchAdvanced Malware Detection TechniquesWeb Application Security Vulnerabilities