Gandalf_The_Grey
Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,084
In February 2024, the Linux kernel developer team took over assigning CVEs for the Linux kernel. They did so because new government regulations, such as those from the European Union, required open-source projects to take responsibility for known vulnerabilities.
In addition, as Kroah-Hartman explained at the time, because while the CVE "system overall is broken in many ways... this change is a way for us to take more responsibility for this, and hopefully make the process better over time." It also made sure that no other group could assign Linux CVEs without the Linux developers getting their say.
Wait. Isn't 60 CVEs a week about problems that can stop your computer dead in its tracks something to worry about? Well, yes. Then, again, no.
You see, Kroah-Hartman explained, today, the Linux kernel has "38 million lines of code. You only use a little bit of this. My laptop uses about one and a half million lines of code. .... Your phone, the most complex beast out there, uses about 4 million lines of code. So, out of everything, you're really using a small portion, but everybody uses a different portion, and that's an important thing to remember."
The Linux kernel team doesn't have a clue which portion you use in your product. Their job is to produce the core code that everyone uses. Each with its own unique configuration and use case.
In short, don't get worked up about the sheer volume of CVEs. Just be sure to check that nothing in the latest bunch affects your setup. Far more often than not, it won't. To be truly safe, though, start updating your Linux kernel far more often than most of you do today.
Don't panic! It's only 60 Linux CVE security bulletins a week
In security circles, Common Vulnerabilities and Exposures security bulletins can be downright scary. In Linux, however, it's just business as usual.
www.zdnet.com