In non-CVE news, here's some fun hardware I got while visiting Hong Kong. It's not the snappiest laptop I've ever used, but it holds potential!

Kernel source is all public (there's a 6.1.y and 6.6.y tree at the moment), hopefully will start working on getting it all merged upstream to make it a proper platform for others to use.

@brahms @kurtseifried We are not "trolling" anyone, we are doing explicitly what the CVE.org board and staff have required us to do in order for us to be a CNA.

@kurtseifried Note, 3000 includes the "old" things we are backfilling from the GSD database, not just the ones that have shown up this year since we started in February. So while 3000 sounds big, if you are using a modern kernel (i.e. something from this year), it's only 1500+ issues to be assigned so far.

Sorry to nit-pick, just wanted to be specific as 3000 in 6 months originally seemed like a lot to me before I went back and looked at these numbers.

Also, for those who want to play along on their own, just clone our vulns.git repo at git.kernel.org and look at the information directly there yourself, it's all being reviewed and assigned in the open, unlike other projects...

So far this year the Linux Kernel has done 3000 CVEs even. This means we can expect roughly 4500 for this year in total. Bu I have good news: they only started in Feb so we can expect another 10-15% on top of that for 2025, so with any luck that'll be about 5000. In other words 12.5% or so of TOTAL CVE activity.

So when @gregkh says run current, you need to listen.

You can spend several thousand hours a year trying to triage Linux Kernel vulns, or you can invest that effort into automation (updates, builds, testing, etc.) and stay current and answer "did you fix CVE foo" with either a "yes" or a "that will go out in the next update at future time X".

@mathaetaes @kurtseifried No one is forcing you to! But note, if other operating systems are not reporting these same types of numbers, then they just aren't reporting things that actually get fixed, or nothing is being fixed at all in them. It's up to you to determine which is the case for those systems :)

@kurtseifried Yeah, it's only about 60 a week, a bit more than I originally guessed, but not out of the expected range at all.

@dermoth All of those commits we are reviewing are already public and have been for weeks, to somehow think that the "bad guys" are not watching our commit stream as-it-happens is to imply that they don't know what they are doing :)

So there is no benefit or need to be "private" about tagging specific commits as CVEs before we do so as you should have already taken all of these fixes weeks ago anyway.

@schrotthaufen @pavel @kernellogger CVE assignment is ANYTHING but automatic. All changes are reviewed by 4 people in different ways and we vote/discuss them all, in public. Anyone is welcome to help us with this review, it's only about 34 changes a day to keep on top of.

Yes, once we agree "this commit should get a CVE" we have tools to make the assignment and publish the notice in an automated way, but all CNAs have something like that (if they don't they are wasting a lot of time doing it by hand.)

I'd really like to read a well researched article that sums up how Linux distros reacted to the massive influx of #Linux #kernel CVE that started ~half a year – both for their #LinuxKernel packages and their live-patching offerings.

But I guess that is an enormous amount of work that no media outlet in this world is willing to pay anyone for writing. 😕

Slide taken from @gregkh's "Why are there so many kernel CVEs?" talk he gave at OSS China yesterday (https://social.kernel.org/objects/c9979d9f-399f-428b-ac56-c41598076dfa ) #LinuxKernel

Don't panic! It's only 60 Linux CVE security bulletins a week https://zdnet.com/article/dont-panic-its-only-60-linux-cve-security-bulletins-a-week/ by @sjvn

Sure, it sounds like a lot, but it's just business as usual for #Linux #security.

@kurtseifried It's not like we weren't doing this before Febuary, we were, our rate of fixing hasn't changed at all from what I can tell.

Here's a good summary of the talk from @sjvn : https://www.zdnet.com/article/dont-panic-its-only-60-linux-cve-security-bulletins-a-week/

Here's a link to the slides for my "Why are there so many kernel CVEs?" talk I gave at OSS China yesterday:
https://kccncossaidevchn2024.sched.com/event/ed2b39a9a0cdfc1df18de67ce0c2f6be

Link to git repo for the slides if the schedule site acts odd for you:
https://git.sr.ht/~gregkh/presentation-security

It was fun, and will be the "set up" for my Kernel Recipes talk in Paris in a few weeks (only 3 conferences to go between now and then, travel is back in full swing.)

Ok, so the day has come. On the context of getting "/usr merge" on alpine, I am going to try update the FHS.

9 years after it was updated, big parts of it are out-of-sync with the current Linux distro conventions.

We (@postmarketOS) already pinged the @linuxfoundation about it in February, and their suggestion was to get somebody interested to do the work. So let's start that process now! Since the FHS mailing list seems defunc (I subscribed and sent an email in February that never got added to the archive), please send me an email at pabloyoyoista@postmarketos.org so we can get a list of people to start discussing the process

#linux #distros #debian #fedora #alpinelinux #postmarketOS #systemd

Recently, a Dutch hacker found a vulnerability allowing him to shut down 4 million solar power installations. A handful of mostly non-European places manage perhaps 100 GW of solar power in the EU. Any mishap there, or heaven forbid, a compromise, could easily shut down so much power that the European electricity grid would collapse. Shockingly, we regulate these massive control panels as if they are online birthday calendars. And that must change. https://berthub.eu/articles/posts/the-gigantic-unregulated-power-plants-in-the-cloud/

I think I finally found out why it feels like CISA live on Alpha Centauri.

> “It’s a myth,” she declared, “that software vulnerability is an inevitability. … It’s the same classes of defects we’ve known about for decades and known how to fix for years.”

This is both true and utterly wrong. It is true, we know how to detect and fix them for decades. In research.

But you know what we do not have? Industry tool that can be used in the industry based on this knowledge.

https://insideaipolicy.com/share/16704

"Linux would have prevented this!" literally true because my former colleague KP Singh wrote a kernel security module that lets EDR implementations load ebpf into the kernel to monitor and act on security hooks and Crowdstrike now uses that rather than requiring its own kernel module that would otherwise absolutely have allowed this to happen, so everyone please say thank you to him

It is time we realize and accept that there can never be a single nor objective criticality score for a CVE.

don't let anyone ruin your day

it's YOUR day!

ruin it yourself by attempting a gentoo install

@killyourfm I am, yes!

@killyourfm If you ever need a guest, I'll be glad to do so, keep up the great work!