Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/kurtseifried/statuses/113032272885503896">kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Tuesday, 27-Aug-2024 17:58:43 JST</a><a href="https://infosec.exchange/@kurtseifried" title="kurtseifried@infosec.exchange"><img src="https://gnusocial.jp/avatar/106037-48-20240108191701.webp" width="48" height="48" alt="kurtseifried (he/him)" style="position: absolute; left: 0; top: 0;">kurtseifried (he/him)</a><div><ul><li></ul></div></section><article><p>So far this year the Linux Kernel has done 3000 CVEs even. This means we can expect roughly 4500 for this year in total. Bu I have good news: they only started in Feb so we can expect another 10-15% on top of that for 2025, so with any luck that'll be about 5000. In other words 12.5% or so of TOTAL CVE activity.</p><p>So when <a href="https://social.kernel.org/users/gregkh">@gregkh</a> says run current, you need to listen.</p><p>You can spend several thousand hours a year trying to triage Linux Kernel vulns, or you can invest that effort into automation (updates, builds, testing, etc.) and stay current and answer "did you fix CVE foo" with either a "yes" or a "that will go out in the next update at future time X".</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3575420#notice-7014958">In conversation</a><time datetime="2024-08-27T17:58:43+09:00" title="Tuesday, 27-Aug-2024 17:58:43 JST">about 3 months ago</time> <span>from <span><a href="https://infosec.exchange/@kurtseifried/113032272885503896" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@kurtseifried/113032272885503896">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/1807544">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Tuesday, 27-Aug-2024 17:58:43 JSTkurtseifried (he/him)
- Greg K-H
So far this year the Linux Kernel has done 3000 CVEs even. This means we can expect roughly 4500 for this year in total. Bu I have good news: they only started in Feb so we can expect another 10-15% on top of that for 2025, so with any luck that'll be about 5000. In other words 12.5% or so of TOTAL CVE activity.
So when @gregkh says run current, you need to listen.
You can spend several thousand hours a year trying to triage Linux Kernel vulns, or you can invest that effort into automation (updates, builds, testing, etc.) and stay current and answer "did you fix CVE foo" with either a "yes" or a "that will go out in the next update at future time X".
In conversationabout 3 months ago from infosec.exchangepermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice