Nope. That's why I changed all my players to BlueOS.

I replaced all my SONOS connects with BlueSound node Nano devices. A pricey replacement, but worth it.

As a bonus I was now able to turn off SMB1 on my home Samba server !

> Every large NAS vendor (Synology, QNAP, etc) has their own SMB server they wrote themserlves

That's untrue. Both Synology and QNAP use Samba. QNAP contributes code and bugfixes back to samba.org (Hi Jones !).

The upstream Linux kernel doesn't differentiate between security bugs and "normal" bug fixes. So the new kernel.org CNA just assigns CVE's to all fixes. They don't score them.

Look at the numbers from the whitepaper:

"In March 2024 there were 270 new CVEs created for the stable Linux kernel. So far in April 2024 there are 342 new CVEs:"

Yes ! That's exactly the point. Trying to curate and select patches for a "frozen" kernel fails due to the firehose of fixes going in upstream.

And in the kernel many of these could be security bugs. No one is doing evaluation on that, there are simply too many fixes in such a complex code base to check.

Oh that's really sad. I hope they use a more up to date version of Samba :-).

I don't see that argument in the blog or paper.

Did you read them ?

There are many more unfixed bugs in vendor kernels than in upstream. That's what the data shows.

You're missing something.

New bugs are discovered upstream, but the vendor kernel maintainers either aren't tracking, or are being discouraged from putting these back into the "frozen" kernel.

We even discovered one case where a RHEL maintainer fixed a bug upstream, but then neglected to apply it to the vulnerable vendor kernel. So it isn't like they didn't know about the bug. Maybe they just didn't check the vendor kernel was vulnerable.

I'm guessing management policy discouraged such things. It's easier to just ignore such bugs if customer haven't noticed.

Gordon, Gordon, don't you ever get tired of your obsession ?

"Towards thee I roll, thou all-destroying but unconquering whale; to the last I grapple with thee; from hellâ(TM)s heart I stab at thee; for hateâ(TM)s sake I spit my last breath at thee."

Very astute comment. The white paper shows that the frozen "vendor" kernel model really doesn't work. And if people can't / won't upgrade then maybe alternative security precautions around a known insecure kernel is the best we can do.

I'm just gonna leave this here..

https://www.youtube.com/watch?...

You might have missed my previous post, I agree and want to add that to me it is even a bit more than that.

There is a complex interaction when you see a milk jug full of water hit by a bullet, or see the flow of plasma on the sun twisted by gravity and magnetic fields, or the plasma of the big bang as the expansion of the universe pulls it apart.

But they can be summed up as a expanding force vs a force of cohesion in all of them. Gravity is a force of cohesion on a cosmic scale, but so is magnetism. And at the great inflation, the lingering cosmic filaments of stars and galaxies look very similar to the water spreading from a hit from bullet where the cohesion is from more molecular forces.

If there was a "then a miracle occurs" part of cosmology that still existed, it would be the dark energy that continues to accelerate the expansion of the universe.

But it has one other side effect that isn't spoken of much -- creating clean entropy. How did we go from a homogeneous plasma at the big bang to such different hot/cold regions in the universe? Expansion, which has a similar effect on condensing gasses into liquids and even freezing them into solids. Only in this case some of that condensation ignites and creates the starts, pinpoints of very clean entropy to power whole solar systems. Expansion is what winds the clock of entropy, creating the differentials that then re-mix and make work happen.

So I completely agree, and if you ask me the story of creating entropy differentials for the universe to do work is the "then a miracle occurs" part of the story that still remains.