On Wed, May 01, 2024 at 01:27:06PM -0700, Alan Coopersmith wrote:
> On 2/20/24 15:30, Alan Coopersmith wrote:
> > As recently announced [1], kernel.org is now a CNA for the Linux kernel, and
> > today issued its first 8 CVEs, as seen in the archives of their mailing list
> > at https://lore.kernel.org/linux-cve-announce/ .
> >
> > Their documentation [2] warns that we should expect a "seemingly large
> > number
> > of CVEs that are issued by the Linux kernel team".
>
> Quantifying this a bit more now - Greg K-H provided some stats so far in:
> https://social.kernel.org/notice/AhSCMVs4RofbnTftGS
>
> which says:
>
> > Year Reserved Assigned Rejected Total
> > 2019: 47 2 1 50
> > 2020: 37 13 0 50
> > 2021: 39 304 7 350
> > 2022: 7 43 0 50
> > 2023: 60 180 10 250
> > 2024: 107 435 8 550
> > Total: 297 977 26 1300
> >
> >
> > Anything older than 2023 is us back-filling in from the GSD database, and we
> > still have a long way to go for there. Some 2023 ones are in there too from
> > GSD, but mostly not, all of 2024 is since we took over being a CNA.
And, if anyone wants to play along at home, they can get the same
information directly from our git repo at:
https://git.kernel.org/pub/scm/linux/security/vulns.git/
by cloning it locally and then running:
$ ./scripts/summary
Year Reserved Assigned Rejected Total
2019: 47 2 1 50
2020: 37 13 0 50
2021: 39 304 7 350
2022: 7 43 0 50
2023: 60 180 10 250
2024: 107 435 8 550
Total: 297 977 26 1300
No need for anyone to rely on random updates from me on
social.kernel.org for that type of thing.
thanks,
greg k-h
