Frequently Asked Question

What is a CVE and how should I follow Linux security advisories?

A CVE, Common Vulnerabilities and Exposures, is a globally unique identifier for a single security flaw, issued by MITRE and a network of CVE Numbering Authorities. The ID looks like CVE-2024-3094 (the xz backdoor) and acts as a portable label: every vendor advisory, scanner report, exploit write-up, and patch note refers to the same bug by the same name, so an administrator can correlate "is my system affected?" across many sources. CVSS, a separate but related standard, assigns each CVE a base severity score from 0.0 to 10.0.

The hard part is keeping up. The pragmatic flow for a defender is: subscribe to your distribution's security announcement list (debian-security-announce, Fedora security-announce, Ubuntu USNs, RHSA), let unattended-upgrades or dnf-automatic apply the bulk of fixes automatically, and read the announcements yourself for anything that needs a manual restart or workaround. The NIST National Vulnerability Database (NVD) is the canonical lookup for the technical detail of any particular CVE.

A handful of CVEs each year deserve immediate manual attention rather than waiting for the nightly run: kernel local-privilege-escalation bugs, anything in OpenSSH or OpenSSL, and any "in the wild exploitation" advisory. Knowing where to look the day a CVE drops is the difference between patching first and patching after the incident.