2024-05-01 20:27:44

by Alan Coopersmith

[permalink] [raw]
Subject: [oss-security] Re: CVEs issued by the Linux kernel CNA

On 2/20/24 15:30, Alan Coopersmith wrote:
> As recently announced [1], kernel.org is now a CNA for the Linux kernel, and
> today issued its first 8 CVEs, as seen in the archives of their mailing list
> at https://lore.kernel.org/linux-cve-announce/ .
>
> Their documentation [2] warns that we should expect a "seemingly large number
> of CVEs that are issued by the Linux kernel team".

Quantifying this a bit more now - Greg K-H provided some stats so far in:
https://social.kernel.org/notice/AhSCMVs4RofbnTftGS

which says:

> Year Reserved Assigned Rejected Total
> 2019: 47 2 1 50
> 2020: 37 13 0 50
> 2021: 39 304 7 350
> 2022: 7 43 0 50
> 2023: 60 180 10 250
> 2024: 107 435 8 550
> Total: 297 977 26 1300
>
>
> Anything older than 2023 is us back-filling in from the GSD database, and we
> still have a long way to go for there. Some 2023 ones are in there too from
> GSD, but mostly not, all of 2024 is since we took over being a CNA.

--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris


2024-05-02 09:14:28

by Greg KH

[permalink] [raw]
Subject: Re: [oss-security] Re: CVEs issued by the Linux kernel CNA

On Wed, May 01, 2024 at 01:27:06PM -0700, Alan Coopersmith wrote:
> On 2/20/24 15:30, Alan Coopersmith wrote:
> > As recently announced [1], kernel.org is now a CNA for the Linux kernel, and
> > today issued its first 8 CVEs, as seen in the archives of their mailing list
> > at https://lore.kernel.org/linux-cve-announce/ .
> >
> > Their documentation [2] warns that we should expect a "seemingly large number
> > of CVEs that are issued by the Linux kernel team".
>
> Quantifying this a bit more now - Greg K-H provided some stats so far in:
> https://social.kernel.org/notice/AhSCMVs4RofbnTftGS
>
> which says:
>
> > Year Reserved Assigned Rejected Total
> > 2019: 47 2 1 50
> > 2020: 37 13 0 50
> > 2021: 39 304 7 350
> > 2022: 7 43 0 50
> > 2023: 60 180 10 250
> > 2024: 107 435 8 550
> > Total: 297 977 26 1300
> >
> >
> > Anything older than 2023 is us back-filling in from the GSD database, and we
> > still have a long way to go for there. Some 2023 ones are in there too from
> > GSD, but mostly not, all of 2024 is since we took over being a CNA.

And, if anyone wants to play along at home, they can get the same
information directly from our git repo at:
https://git.kernel.org/pub/scm/linux/security/vulns.git/
by cloning it locally and then running:

$ ./scripts/summary
Year Reserved Assigned Rejected Total
2019: 47 2 1 50
2020: 37 13 0 50
2021: 39 304 7 350
2022: 7 43 0 50
2023: 60 180 10 250
2024: 107 435 8 550
Total: 297 977 26 1300

No need for anyone to rely on random updates from me on
social.kernel.org for that type of thing.

thanks,

greg k-h