Home 零对冲(ZeroHedge)每日HackerNews

Linux CVE,比你想要知道的还要多。
Linux CVEs, more than you ever wanted to know

原始链接: http://www.kroah.com/log/blog/2025/12/08/linux-cves-more-than-you-ever-wanted-to-know/

自从近两年前成为 CVE(通用漏洞披露)编号机构以来,Linux 内核社区已成为 CVE 的主要发布者,目前按数量排名第一。这促使人们需要对该流程进行透明化。 作者曾在广泛场合就此主题进行演讲,详细介绍了 Linux 社区如何大规模管理 CVE 分配。虽然这项工作的大部分内容发生在内核源代码之外(主要通过 `linux-cve-announce` 邮件列表),但理解这一点至关重要,特别是考虑到 Linux 独特的版本方案,经常被外部团体误解。 这些文章旨在记录用于 CVE 报告的演进工具和工作流程,提供一种简化的跟踪分配方法,超越像 CVE JSON 和 NVD 这样复杂的格式。最终,这份文档不仅为关注 Linux 安全的人员提供资源,也为面临类似挑战的其他开源项目提供参考。

## Linux CVE 更新与透明度 [kroah.com](http://www.kroah.com/) 上的博客文章系列详细介绍了 Linux 内核社区在成为证书编号机构 (CNA) 后如何管理 CVE(通用漏洞和暴露)。自两年前成为 CNA 以来,内核社区已成为最大的 CVE 创建者,在 2025 年发布了比任何其他组织都多的 CVE。 作者 Greg K-H 解释了他们的 CVE 分配流程的演变,并解决了他们在第一年遇到的挑战。该系列旨在提供对其工具、发布方案和跟踪方法的详细了解——提供了一种比官方 CVE 格式更简单的替代方案。 Hacker News 上的讨论指出该博客缺乏 HTTPS 支持(在 2025 年这令人担忧!),并强调了作者之前关于该主题的演讲。该系列旨在帮助其他面临类似漏洞报告扩展问题的开源项目。
相关文章
原文

It’s been almost 2 full years since Linux became a CNA (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) are now responsible for issuing all CVEs for the Linux kernel. During this time, we’ve become one of the largest creators of CVEs by quantity, going from nothing to number 3 in 2024 to number 1 in 2025. Naturally, this has caused some questions about how we are both doing all of this work, and how people can keep track of it.

I’ve given a number of talks over the past years about this, starting with the Open Source security podcast right after we became a CNA and then the Kernel Recipes 2024 talk, “CVEs are alive, but do not panic” and then a talk at OSS Hong Kong 2024 about the same topic with updated numbers and later a talk at OSS Japan 2024 with more info about the same topic and finally for 2024 a talk with more detail that I can’t find the online version.

In 2025 I did lots of work on the CRA so most of my speaking over this year has been about that topic , but the CVE assignment work continued on, evolving to meet many of the issues we had in our first year of being a CNA. As that work is not part of the Linux kernel source directly, it’s not all that visable to the normal development process, except for the constant feed on the linux-cve-announce mailing list I figured it was time to write down how this is all now working, as well a bunch of background information about how Linux is developed that is relevant for how we do CVE reporting (i.e. almost all non-open-source-groups don’t seem to know how to grasp our versioning scheme.)

There is a in-kernel document that describes how CVEs can be asked for from the kernel community, as well as a basic summary of how CVEs are automatically asigned. But as we are an open community, it’s good to go into more detail as to how all of us do this work, explaining how our tools have evolved over time and how they work, why some things are the way they are for our releases, as well as document a way that people can track CVE assignments on their own in a format that is, in my opinion, much simpler than attempting to rely on the CVE json format (and don’t get me started on NVD…)

So here’s a series of posts going into all of this, hopefully providing more information than you ever wanted to know, which might be useful for other open source projects as they start to run into many of the same issues we have already dealt with (i.e. how to handle reports at scale):

联系我们 contact @ memedata.com