oss-sec mailing list archives
Re: Re: CVEs issued by the Linux kernel CNA
From: Greg KH <greg () kroah com>
Date: Thu, 2 May 2024 11:13:56 +0200
On Wed, May 01, 2024 at 01:27:06PM -0700, Alan Coopersmith wrote:
On 2/20/24 15:30, Alan Coopersmith wrote:As recently announced [1], kernel.org is now a CNA for the Linux kernel, and today issued its first 8 CVEs, as seen in the archives of their mailing list at https://lore.kernel.org/linux-cve-announce/ . Their documentation [2] warns that we should expect a "seemingly large number of CVEs that are issued by the Linux kernel team".Quantifying this a bit more now - Greg K-H provided some stats so far in: https://social.kernel.org/notice/AhSCMVs4RofbnTftGS which says:Year Reserved Assigned Rejected Total 2019: 47 2 1 50 2020: 37 13 0 50 2021: 39 304 7 350 2022: 7 43 0 50 2023: 60 180 10 250 2024: 107 435 8 550 Total: 297 977 26 1300 Anything older than 2023 is us back-filling in from the GSD database, and we still have a long way to go for there. Some 2023 ones are in there too from GSD, but mostly not, all of 2024 is since we took over being a CNA.
And, if anyone wants to play along at home, they can get the same information directly from our git repo at: https://git.kernel.org/pub/scm/linux/security/vulns.git/ by cloning it locally and then running: $ ./scripts/summary Year Reserved Assigned Rejected Total 2019: 47 2 1 50 2020: 37 13 0 50 2021: 39 304 7 350 2022: 7 43 0 50 2023: 60 180 10 250 2024: 107 435 8 550 Total: 297 977 26 1300 No need for anyone to rely on random updates from me on social.kernel.org for that type of thing. thanks, greg k-h
Current thread:
- Re: CVEs issued by the Linux kernel CNA Alan Coopersmith (May 01)
- Re: Re: CVEs issued by the Linux kernel CNA Greg KH (May 02)