←back to thread

Linux CVEs, more than you ever wanted to know

(www.kroah.com)

103 points voxadam | 3 comments | 09 Dec 25 22:47 UTC | HN request time: 0.577s | source

Show context

throw329084 ◴[09 Dec 25 23:25 UTC] No.46212124[source]▶

>>46211802 (OP) #

This blog post, brought to you by the man who wants to burn down the CVE system https://lwn.net/Articles/1049140/

replies(4): >>46213146 #>>46213269 #>>46213912 #>>46214240 #

1. accelbred ◴[10 Dec 25 04:57 UTC] No.46214240[source]▶

I, this last week, had to spend hours dealing with a fake CVE that was opened 2 years ago on an open source dependency of our project for a bug that amounts to "if you have RCE, you can construct a malicious java datatype and call this function on it to trigger a stack overflow". The github thread on the lib is full of the maintainers having to deal with hundreds of people asking them for updates on an obviously fake CVE. Yet the CVE is still up and has not been deleted. And I now get a request from a customer about fixing this vuln in our code their CVE scanner found.

The CVE system is broken and its death would be a good riddance.

replies(1): >>46218967 #

2. some_random ◴[10 Dec 25 15:41 UTC] No.46218967[source]▶

>>46214240 (TP) #

The CVE system isn't great but it's all we have and demanding its destruction because a CNA didn't do their job (just like the Linux CNA, I might add) is childish.

replies(1): >>46219974 #

3. DeepYogurt ◴[10 Dec 25 16:44 UTC] No.46219974[source]▶

osv.dev exists and is worlds better