fsebugoutzone.org:9999

       Post AlOVLgJMh4GIEPKFbU by kurtseifried@infosec.exchange
 (DIR) More posts by kurtseifried@infosec.exchange
 (DIR) Post #AlOVLgJMh4GIEPKFbU by kurtseifried@infosec.exchange
       2024-08-27T05:13:29Z
       
       0 likes, 0 repeats
       
       So far this year the Linux Kernel has done 3000 CVEs even. This means we can expect roughly 4500 for this year in total. Bu I have good news: they only started in Feb so we can expect another 10-15% on top of that for 2025, so with any luck that&#39;ll be about 5000. In other words 12.5% or so of TOTAL CVE activity.So when @gregkh says run current, you need to listen.You can spend several thousand hours a year trying to triage Linux Kernel vulns, or you can invest that effort into automation (updates, builds, testing, etc.) and stay current and answer &quot;did you fix CVE foo&quot; with either a &quot;yes&quot; or a &quot;that will go out in the next update at future time X&quot;.
       
 (DIR) Post #AlOVLh6ziXxciKXsxc by gregkh@social.kernel.org
       2024-08-27T07:26:54.050053Z
       
       0 likes, 0 repeats
       
       @kurtseifried Note, 3000 includes the &quot;old&quot; things we are backfilling from the GSD database, not just the ones that have shown up this year since we started in February.  So while 3000 sounds big, if you are using a modern kernel (i.e. something from this year), it&#39;s only 1500+ issues to be assigned so far.Sorry to nit-pick, just wanted to be specific as 3000 in 6 months originally seemed like a lot to me before I went back and looked at these numbers.Also, for those who want to play along on their own, just clone our vulns.git repo at git.kernel.org and look at the information directly there yourself, it&#39;s all being reviewed and assigned in the open, unlike other projects...
       
 (DIR) Post #AlOVLhuyihwXDLvns0 by kurtseifried@infosec.exchange
       2024-08-27T13:23:26Z
       
       0 likes, 0 repeats
       
       @gregkh actually 3000 is not a lot. I’m looking at the data and there’s some interesting trends with other CNAs. There’s also also two  CVE ecosystems now: the open source and the closed source. Most People are used to dealing with the closed source involves applying patches, made available by the vendor products that they have deployed.But now they’re having to deal with the open source, and they have to do their own homework as it were, figuring out if they use this source in anything ( they likely have because of dependency chains), and remediating it on their own.
       
 (DIR) Post #AlOVLiPStMKUjuC9OC by gregkh@social.kernel.org
       2024-08-27T13:53:55.469198Z
       
       0 likes, 0 repeats
       
       @kurtseifried That&#39;s a really good point, the &quot;open source&quot; ecosystem being a CNA is very new, I don&#39;t think this was even possible until less than a year ago when python blazed that trail.And it&#39;s nice to see we aren&#39;t alone here with &quot;big numbers&quot;, it&#39;s going to be an interesting thing to watch shake out as &quot;take responsibility&quot; rules/laws come into being in different locations.  I agree with you in that the quantity is just going to get larger over time.
       
 (DIR) Post #AlOVLigpqmDxbmK1Sq by kurtseifried@infosec.exchange
       2024-08-27T13:43:00Z
       
       0 likes, 0 repeats
       
       @gregkh