fsebugoutzone.org:9999

       Post Ay5P4EX8MPoFEfDlTM by jacques@mastodon.chester.id.au
 (DIR) More posts by jacques@mastodon.chester.id.au
 (DIR) Post #Ay5P4DQ0VQVxmGsYj2 by bagder@mastodon.social
       2025-09-08T10:01:09Z
       
       1 likes, 0 repeats
       
       The other day me and @gregkh shot down a draft proposal to add a new role in the CVE ecosystem (SADP: &quot;supplier ADP&quot;) that would append data to CVEs with details about dependencies and how they are or are not vulnerable to each particular CVE.Imagine the amount of dependencies that use curl or the Linux kernel etc. These sweet innocent proposal makers thought in the terms of 5-10 dependencies per CVE. Not tens or hundreds of thousands which is far from unthinkable.
       
 (DIR) Post #Ay5P4EX8MPoFEfDlTM by jacques@mastodon.chester.id.au
       2025-09-08T13:49:39Z
       
       0 likes, 0 repeats
       
       @bagder @gregkh isn’t this what VEX is meant for?
       
 (DIR) Post #Ay5P4Fh62rNApqtEdk by bagder@mastodon.social
       2025-09-08T13:51:57Z
       
       0 likes, 0 repeats
       
       @jacques @gregkh possibly sure, but that&#39;s not info inserted into the CVE records like this proposal does.
       
 (DIR) Post #Ay5P4GLrbHyysHxnBQ by jacques@mastodon.chester.id.au
       2025-09-08T13:59:13Z
       
       0 likes, 0 repeats
       
       @bagder @gregkh got it. Sounds like some is trying to create the Universal Asset Graph by accident rather than on purpose.(Relevant self-post: https://theoryof.predictable.software/articles/some-requirements-for-a-universal-asset-graph/ )
       
 (DIR) Post #Ay5P4H0HB2JCtcs4Aq by msw@mstdn.social
       2025-09-09T17:37:31Z
       
       0 likes, 0 repeats
       
       @jacques @bagder @gregkh btw… how is it going, making the Universal Asset Graph on purpose?
       
 (DIR) Post #Ay5P4HlQLk1TFqvifA by jacques@mastodon.chester.id.au
       2025-09-09T18:02:22Z
       
       0 likes, 0 repeats
       
       @msw @bagder @gregkh I haven’t seen anything that fits the criteria, but there are partial things like Mercator, GUAC (the DB) and osv.dev (the data).In fairness I’ve been out of this space for quite a while.
       
 (DIR) Post #Ay5P4IHKR7XkqnrCOO by msw@mstdn.social
       2025-09-10T17:49:19Z
       
       0 likes, 0 repeats
       
       @jacques @bagder @gregkh I&#39;d really love to have some public database that would help us all collectively make more efficient resource allocation decisions.Let&#39;s take CVE-2025-38352 for example. CISA added it to the KEV because Google said that there is evidence of exploitation in the context of Android.If you use CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y the fix is not needed.Linux distros aren&#39;t affected but release &quot;fixes&quot; anyway. https://forums.rockylinux.org/t/rocky-8-10-cve-2025-38352/19590/3#PatchAllTheThings! #InfoSec
       
 (DIR) Post #Ay5P4J0hiPq77X5R7Q by gregkh@social.kernel.org
       2025-09-11T05:01:47.291745Z
       
       1 likes, 0 repeats
       
       @msw @jacques @bagder I have no problem adding additional data like &quot;This config option means you will not be vulnerable&quot; to our records today, if people want to submit that information to us.  We take patches and additions to the kernel cve.org records on a weekly basis from vendors that work to narrow down affected kernel ranges and add additional references.So we could do what you want today, no changes to anything that cve.org does right now would be needed, just send us a patch!  But that was not what was being proposed at all, unfortunately.