On 2/20/24 15:30, Alan Coopersmith wrote:
As recently announced [1], kernel.org is now a CNA for the Linux kernel, and
today issued its first 8 CVEs, as seen in the archives of their mailing list
at https://lore.kernel.org/linux-cve-announce/ .
Their documentation [2] warns that we should expect a "seemingly large number
of CVEs that are issued by the Linux kernel team".
Quantifying this a bit more now - Greg K-H provided some stats so far in:
https://social.kernel.org/notice/AhSCMVs4RofbnTftGS
which says:
Year Reserved Assigned Rejected Total
2019: 47 2 1 50
2020: 37 13 0 50
2021: 39 304 7 350
2022: 7 43 0 50
2023: 60 180 10 250
2024: 107 435 8 550
Total: 297 977 26 1300
Anything older than 2023 is us back-filling in from the GSD database, and we
still have a long way to go for there. Some 2023 ones are in there too from
GSD, but mostly not, all of 2024 is since we took over being a CNA.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
