Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/cks/statuses/112436951331040441">Chris Siebenmann (cks@mastodon.social)'s status on Friday, 17-May-2024 01:14:52 JST</a><a href="https://mastodon.social/@cks" title="cks@mastodon.social"><img src="https://gnusocial.jp/avatar/97051-48-20230210172853.webp" width="48" height="48" alt="Chris Siebenmann" style="position: absolute; left: 0; top: 0;">Chris Siebenmann</a><div><a href="https://mastodon.social/@cks/112436837742579941" rel="in-reply-to">in reply to</a></div></section><article><p>How good was (is) the Linux kernel at security assessments? Well, between 2006 and 2018, 41% of kernel CVEs had already been fixed in the main kernel by the time they were reported as security issues (in someone's kernel), and the overall average 'time to fix' was -100 days. Clearly a lot of security fixes were not being recognized as such. Which is not a surprise; modern exploit developers are extremely clever.</p><p>Source: this 2019 Greg KH presentation: <a href="https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/" rel="nofollow noreferrer">https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3099782#notice-6142090">In conversation</a><time datetime="2024-05-17T01:14:52+09:00" title="Friday, 17-May-2024 01:14:52 JST">about 6 months ago</time> <span>from <span><a href="https://mastodon.social/@cks/112436951331040441" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@cks/112436951331040441">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: kernel-recipes.org</div><h5><a href="https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/">CVEs are dead, long live the CVE!</a></h5><div> from <span>ennael</span></div></header><div></div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Chris Siebenmann (cks@mastodon.social)'s status on Friday, 17-May-2024 01:14:52 JST Chris Siebenmann
in reply to
How good was (is) the Linux kernel at security assessments? Well, between 2006 and 2018, 41% of kernel CVEs had already been fixed in the main kernel by the time they were reported as security issues (in someone's kernel), and the overall average 'time to fix' was -100 days. Clearly a lot of security fixes were not being recognized as such. Which is not a surprise; modern exploit developers are extremely clever.
Source: this 2019 Greg KH presentation: https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
In conversationabout 6 months ago from mastodon.socialpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: kernel-recipes.org
  CVEs are dead, long live the CVE!
  from ennael

Public

Embed Notice

HTML Code

Corresponding Notice