this post was submitted on 07 Nov 2024
-13 points (21.7% liked)

Linuxsucks

163 readers
625 users here now

Shit on Desktop Linux and its evangelists here

No evangelizing for Linux

founded 4 weeks ago
MODERATORS
madthumbs
-13
Top 50 Products By Total Number Of "Distinct" Vulnerabilities (lemmy.world)
submitted 5 days ago by madthumbs to c/linuxsucks
9 comments fedilink hide all child comments
 

https://www.cvedetails.com/top-50-products.php?year=0

top 9 comments
sorted by: hot top controversial new old
[–] Peasley 12 points 5 days ago* (last edited 5 days ago) (1 children)

That number shows across all versions, regardless if they have been patched or mitigated

If you look on that site at current versions only it looks very different

iOS 18 - 30

iOS 18.1 beta - 0

macOS 11.2.3 - 0

Windows 11 22h2 current patch - 0

Fedora 41 - 1

Android 15 - 7

Ubuntu 23.10 - 2 (for some reason 24.04 and 24.10 are missing)

It's a pretty interesting site!

[–] [email protected] 2 points 5 days ago (1 children)

Bingo. That site is counting that same vuln repeatedly.

[–] madthumbs -1 points 4 days ago (1 children)

How do you figure? The title says 'distinct'.

[–] [email protected] 2 points 4 days ago* (last edited 4 days ago) (1 children)

By looking at the data on the website..? The same vuln appears under multiple different versions of an OS.

[–] madthumbs -1 points 4 days ago (1 children)

Your statement seems worded to imply that the same vulnerability is being counted in the same version of the OS, and it wouldn't make sense to comment as such since it would be omitting data otherwise.

[–] [email protected] 5 points 4 days ago

They’re still not distinct vulnerabilities. They’re the same vulnerabilities across different products and versions. Others in the thread immediately misunderstood what the table was presenting.

Cvedetails was far better (albeit uglier) in the past before Security Scorecard took over the brand / domains.

Another fundamental mistake Security Scorecard are making is that they don’t understand the data they’re trying to visualise, group, and rank. Debian, for instance, do a stellar job and enumerate any version of their product that has a vulnerable package in their repos even if it’s nothing to do with the actual operating system whereas Apple don’t enumerate vulnerable App Store apps in the same way nor do many other Linux distributions which have their own repos of packaged FOSS apps.

What thus results in is Debian getting tabulated to look like they’re doing something really wrong with the number of vulns they’re enumerating whereas it’s actually exceptionally awesome that they do. This kind of junk “Top x” just incentivises other distributions to not put in get hard work and provide CPE codes for their distro’s package repos.

[–] [email protected] 3 points 5 days ago (1 children)

known vulnerabilities

[–] madthumbs 0 points 3 days ago (1 children)

Yeah, it's mostly for contrast to people who deny any such thing in Linux. Arguing FOSS vs proprietary for security and issues is almost pointless.

[–] [email protected] 1 points 3 days ago

Not just almost.
I work as a sysadmin. In a professional setting, Linux, Windows, BSD, it's literally all the same: Just keep your shit patched so the cybersecurity insurance can't wiggle out of paying in case something happens.