The other day me and @gregkh shot down a draft proposal to add a new role in the CVE ecosystem (SADP: "supplier ADP") that would append data to CVEs with details about dependencies and how they are or are not vulnerable to each particular CVE.
Imagine the amount of dependencies that use curl or the Linux kernel etc. These sweet innocent proposal makers thought in the terms of 5-10 dependencies per CVE. Not tens or hundreds of thousands which is far from unthinkable.
@bagder @gregkh got it. Sounds like some is trying to create the Universal Asset Graph by accident rather than on purpose.
(Relevant self-post: https://theoryof.predictable.software/articles/some-requirements-for-a-universal-asset-graph/ )
@jacques @bagder @gregkh I'd really love to have some public database that would help us all collectively make more efficient resource allocation decisions.
Let's take CVE-2025-38352 for example. CISA added it to the KEV because Google said that there is evidence of exploitation in the context of Android.
If you use CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y the fix is not needed.
Linux distros aren't affected but release "fixes" anyway. https://forums.rockylinux.org/t/rocky-8-10-cve-2025-38352/19590/3
OK, I’m busy waiting. Regarding Rocky 9: We also use a machine with kernel 5.14.0-570.37.1.el9. On this machine, the kernel parameter CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y is effective. If I understand correctly, this means that the problem does not occur. Regards
daniel:// stenberg://
Jacques Chester
Matt "msw" Wilson
Greg K-H