On Tue, Apr 26, 2016 at 01:14:13AM +0200, Ben Hutchings wrote: > On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote: > > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote: > > > > > > This means that missing CVE fixes are quite common with stable > > > trees? > > Until someone reports they are missing :-) > > Or they are unfixed upstream (there are a good few of those). > > Debian has a public list of all unembargoed kernel security issues that > have CVEs (and a few that don't), with references to any upstream > commits and fixed stable versions - but only for the stable branches > that our stable releases follow. > > The mapping of CVE IDs to commits may be useful to other stable > maintainers, even if the rest isn't. > > svn co svn://scm.alioth.debian.org/svn/kernel-sec/
Thanks for sharing this Ben, it can indeed be helpful sometimes and it's well organized! Willy
