I've seen many Linux offensive security presentations and research include caveats like, "first turn off ASLR", or other stuff where the written exploit doesn't actually work with modern default systems. Here the excellent article includes details on _enabling_ additional non-default defenses. 😍
I remain impressed that the Ubuntu security team (and kernel team) do severity analysis (with respect to the distro), and usually flaw introduction commit analysis, for each kernel CVE. It's already lot of work, so I'm curious how they will adapt to the higher rate of CVE assignments now.
@vathpela@vegard@gregkh The corollary of "security bugs are bugs" is "bugs are security bugs". Without an omniscient view of all Linux deployments and the associated reachability analysis, the objective security impact of a behavioral weakness cannot be assessed. And this is especially true given that (even minor) flaws are commonly chained together to build exploits.
This new process won't be perfect, but it'll be a whole lot closer to reality than the prior process: assigning no CVEs. :)
v6.5 fixed almost twice as many "high" CVEs (19) than the second most prolific release, v6.6 (11), with v6.4 tied for 3rd place (9) with v5.17. It seems like the rate of fixing is picking up.
Ignoring the first git release (v2.6.12), the "high" flaw counts are relatively even. The most flawed (i.e. most well tested/researched) releases have been v3.8 (9), v3.18 & v2.6.20 tied (8), and v5.9 & v4.1 tied (6).
But there are certainly more flaws in all releases -- they just haven't been found yet.
Last time I did a Linux kernel security flaw lifetime analysis was back in 2021. It showed the average time between flaw introduction and fix was 5.5 years for 108 "high priority" CVEs: https://outflux.net/slides/2021/lss/kspp.pdf
I refreshed my dataset today and was surprised to see that now with 103 more CVEs, it's still holding at 5.5 years. This actually means Linux is getting faster at finding issues, but the (diminishing) technical debt of the past is still dragging down the average.
Sequentially in my feed: a toot about the Mars helicopter Ingenuity and its continued flying around, followed by a toot about Linux 4.14 reaching EOL.
Which reminds me, Ingenuity is running a 3.6 kernel. And it has the only excuse I can tolerate for having not been upgraded: it's on a different planet. ;)