The upstream Linux kernel doesn't differentiate between security bugs and "normal" bug fixes. So the new kernel.org CNA just assigns CVE's to all fixes. They don't score them.

Look at the numbers from the whitepaper:

"In March 2024 there were 270 new CVEs created for the stable Linux kernel. So far in April 2024 there are 342 new CVEs:"

Yes ! That's exactly the point. Trying to curate and select patches for a "frozen" kernel fails due to the firehose of fixes going in upstream.

And in the kernel many of these could be security bugs. No one is doing evaluation on that, there are simply too many fixes in such a complex code base to check.

Oh that's really sad. I hope they use a more up to date version of Samba :-).

I don't see that argument in the blog or paper.

Did you read them ?

There are many more unfixed bugs in vendor kernels than in upstream. That's what the data shows.

You're missing something.

New bugs are discovered upstream, but the vendor kernel maintainers either aren't tracking, or are being discouraged from putting these back into the "frozen" kernel.

We even discovered one case where a RHEL maintainer fixed a bug upstream, but then neglected to apply it to the vulnerable vendor kernel. So it isn't like they didn't know about the bug. Maybe they just didn't check the vendor kernel was vulnerable.

I'm guessing management policy discouraged such things. It's easier to just ignore such bugs if customer haven't noticed.

Gordon, Gordon, don't you ever get tired of your obsession ?

"Towards thee I roll, thou all-destroying but unconquering whale; to the last I grapple with thee; from hellâ(TM)s heart I stab at thee; for hateâ(TM)s sake I spit my last breath at thee."

Very astute comment. The white paper shows that the frozen "vendor" kernel model really doesn't work. And if people can't / won't upgrade then maybe alternative security precautions around a known insecure kernel is the best we can do.

I'm just gonna leave this here..

https://www.youtube.com/watch?...

Not news to me, either, Drew.

Aaw, I should have told you. Thereâ(TM)s some equation that relates energy, mass, and the speed of light. Probably most physics postdocs have heard of it.

Thanks, Will-O. I quite remember this cia guyâ(TM)s rubber stamp collection with dozens of great stamps: NOFORN, EYES-ONLY, and different fonts of Secret and top secret. Damn, but the guard at the place seized my paper with all those stamps.

On the other hand, I still have a VIP parking pass for the CIA headquarters â" Lets ypu park right at the front steps. Valid, if you have a time machine going back to April 5, 1988.

My warm thoughts fly over to you, Kill (owatt-) Hour â" last weekâ(TM)s eclipse fund me beneath stratus clouds just east of Buffalo, having a wonderful (though cloudy) day with 4 generations of my family. Itâ(TM)s a joy to see how my home town has evolved â" memories of climbing the Michigan Avenue Lift Bridge at midnight and watching them tap the redhot coke ovens at Bethlehem/Lackawanna Steel mills.

Following up, I am honored by the attention and kindness of fellow nerds and online friends. When I first started on that chase in 1986, I had no idea wrhere it would lead me.

A curious accounting error led me through Unix internals, tcp/ip protocols, early Arpanet connections, and backwards to a group of computer hackers working for then Soviet & Stassi agencies. Along the way, I met people from the FBI, NSA, CIA, AFOSI, and plenty of very smart computer jocks.

It was a time of analog phones and dial up modems; when you would carry coins in your pocket to make calls on the street.

Since then, thanks to the support of online friends and math folk, I have explored and shared interests in topology and math. Along the way, Iâ(TM)ve made plenty of mistakes and bloopers; pretty much the same as student times. Goofups in grad school are easier to sweep aside!

To all my friends: May you burdens be light and your purpose high. Stay curious!

- Cliff

Iâ(TM)ve been away from slashdot for a while, and Iâ(TM)m now on a post-eclipse trip on the east coast.

With good fortitune (and Amtrak), Iâ(TM)ll be home in 10 days; Iâ(TM)ll then fill the tsunami of Klein bottle orders that havve arrived in the past few hours. Over a dozenâ" Iâ(TM)ll be catching up for a few days!

Smiles all around,
-Cliff on a rainy Saturday in Potsdam, NU