It would be interesting to pick a range of commits as a sample to figure out what % of security fixes actually get a CVE...
-
-
-
if distros do security update, there's a CVE (lots assigned way after the fix). Maybe compare date of fix vs CVE date-of-issue
-
Talking about all kinds of bug fixes that do have a security relevance if you look closely, but that aren't backported at all.
-
This is why I tell everyone to use an upstream -stable tree instead of cherry-picking CVE fixes.
End of conversation
New conversation -
-
-
Now, what stable branches started significantly more than 5 years ago and are still well security-maintained? Is it just RHEL5?
-
Not sure, but my point is mostly that it'll be 5 years until I know about all the 0-day in the kernel I'm running today. :P
-
It's worse than that. In 5 years you might only know about most of today's vulns that will ever be found, not about all of them.
-
Most? Doubt it. Especially if "known" means "CVE assigned" rather than it simply being fixed or the code removed.
- 1 more reply
New conversation -
-
-
Nope, but it should be trivial for other folks to do it if the BSDs have a database of when flaws were introduced and fixed.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.