If you use the newest released kernel of a supported branch, by definition you have no open CVEs (except those that other organizations manage to get assigned).
If you use something older, you will have many open CVEs.
Basically saying that the CVE system is useless without saying it.
This is bad, because Linux has bad security culture and numerous security bug fixes occur without a CVE assigned and changes never get backported. Surprised Google allowed this to occur, considering they have Linux as a liability in their Android software stack and this massively reduces security posture of Linux mainline, causing costs to Google when they need to fix Linux's bullshit downstream.
The policy now will be that each kernel bug will get assigned a CVE. Which means DoSing security researchers. If every bug is related to a security vulnerability, then no bug is related to a security vulnerability. The goal here seems to be to discredit already reputationaly fragile CVE system by making it even worse, by flooding it with unhelpful CVE assignments. The vendor also being the CNA is obvious conflict of interest. Vendors do not like CVEs being assigned to their products. Imagine if Cisco got to decide whether their router software bug was worthy of having a CVE assigned.
> The policy now will be that each kernel bug will get assigned a CVE.
Do you have a citation for this?
For a CNA to submit CVEs they need to submit a CVSS score, initially 100% of their scores will be audited, if the score is 0, it would be considered an invalidly assigned CVE. Issues assigned a CVE must be exploitable by someone who does not already have access to do the thing described, they also must have documented impact to the confidentiality, integrity or availability of the impacted system. All of this means Linux being a CNA should not result in an increase of CVEs in unless they are already not getting CVEs for those vulnerabilties.
> Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team are overly cautious and assign CVE numbers to any bugfix that they identify.
I don't get how exactly they would be wrong with that and I am not sure why saying "update from the buggier version to a less buggier version" (that is implied with an assigned CVE) is a bad thing.
If you use the newest released kernel of a supported branch, by definition you have no open CVEs (except those that other organizations manage to get assigned).
If you use something older, you will have many open CVEs.
Basically saying that the CVE system is useless without saying it.