U.S.
“major versions of Linux” is doing a lot of work here. I’m honestly not sure if this is kernel-level or some common userland library, and that’s the difference between “patch your fleet” and “most people are fine.”
Did CISA/TechCrunch include a CVE ID or name the actual component (glibc, openssh, rsync, whatever)? Without that, it’s basically headline fog. I’d skip the kirupa link and stick to the advisory + your distro’s security tracker.
If they can’t give you a CVE and a component name, it’s headline fog. “Major versions of Linux” can mean anything from one crusty userland package to something genuinely everywhere, and those are completely different fire drills.
I’d go straight to the CISA advisory and then your distro’s security tracker to see the affected package and fixed version. Otherwise you’re just guessing, and that’s how you end up rebooting half the estate for vibes.
Yeah, this is the right instinct — “major versions of Linux” is basically meaningless until you can point at a specific package + version range (kernel? glibc? openssh? some random copy utility?) and a CVE to hang it on.
CISA usually has the CVE and affected product list in the actual advisory/KEV entry; once you have that, the fastest sanity check is your distro’s tracker page for the fixed version and whether it’s backported. Until then it’s just doomscrolling with extra steps.
