Common Vulnerabilities and Exposure (CVE®) numbers were developed as an unambiguous way to identify, define, and catalog publicly disclosed security vulnerabilities. Over time, their usefulness has declined with regards to the kernel project, and CVE numbers were very often assigned in inappropriate ways and for inappropriate reasons. Because of this, the kernel development community has tended to avoid them. However, the combination of continuing pressure to assign CVEs and other forms of security identifiers, and ongoing abuses by individuals and companies outside of the kernel community has made it clear that the kernel community should have control over those assignments. The Linux kernel developer team does have the ability to assign CVEs for potential Linux kernel security issues. This assignment is independent of the normal Linux kernel security bug reporting process.
Experten halten die Hintertür in liblzma für den bis dato ausgeklügeltesten Supplychain-Angriff. Er erlaubt Angreifern, aus der Ferne Kommandos einzuschleusen.
Server security doesn’t need to be complicated. My security philosophy is simple: adopt principles that will protect you from the most frequent attack vectors, while keeping administration efficient enough that you won’t develop “security cruft”.... | Bryan Kennedy | Ideate, Innovate, Launch