oss-sec mailing list archives

Re: CVEs issued by the Linux kernel CNA

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 1 May 2024 13:27:06 -0700

On 2/20/24 15:30, Alan Coopersmith wrote:

As recently announced [1], kernel.org is now a CNA for the Linux kernel, and
today issued its first 8 CVEs, as seen in the archives of their mailing list
at https://lore.kernel.org/linux-cve-announce/ .

Their documentation [2] warns that we should expect a "seemingly large number
of CVEs that are issued by the Linux kernel team".


Quantifying this a bit more now - Greg K-H provided some stats so far in:
https://social.kernel.org/notice/AhSCMVs4RofbnTftGS

which says:

Year Reserved Assigned Rejected Total
2019:   47        2        1      50
2020:   37       13        0      50
2021:   39      304        7     350
2022:    7       43        0      50
2023:   60      180       10     250
2024:  107      435        8     550
Total: 297      977       26    1300


Anything older than 2023 is us back-filling in from the GSD database, and we
still have a long way to go for there. Some 2023 ones are in there too from

GSD, but mostly not, all of 2024 is since we took over being a CNA.


--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread:

Re: CVEs issued by the Linux kernel CNA Alan Coopersmith (May 01)
- Re: Re: CVEs issued by the Linux kernel CNA Greg KH (May 02)