i wonder if 3.16.7 contains all the 3.16.3 CVE-fixes from https://koji.fedoraproject.org/koji/buildinfo?buildID=587751 and the previous 3.16.6 ones from Fedora because https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.7 dont mention them?
On Fri, Oct 31, 2014 at 06:09:13AM +0100, Reindl Harald wrote:
i wonder if 3.16.7 contains all the 3.16.3 CVE-fixes from https://koji.fedoraproject.org/koji/buildinfo?buildID=587751 and the previous 3.16.6 ones from Fedora because https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.7 dont mention them?
They weren't added upstream, which is why the upstream ChangeLog doesn't list them. Sometimes the CVE information for a patch isn't listed there anyway. They're still in the Fedora kernel build of the same as add-on patches. This happens quite frequently.
josh
Am 31.10.2014 um 12:33 schrieb Josh Boyer:
On Fri, Oct 31, 2014 at 06:09:13AM +0100, Reindl Harald wrote:
i wonder if 3.16.7 contains all the 3.16.3 CVE-fixes from https://koji.fedoraproject.org/koji/buildinfo?buildID=587751 and the previous 3.16.6 ones from Fedora because https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.7 dont mention them?
They weren't added upstream, which is why the upstream ChangeLog doesn't list them. Sometimes the CVE information for a patch isn't listed there anyway. They're still in the Fedora kernel build of the same as add-on patches. This happens quite frequently
thanks for feedback
good to know - sadly that the upstream changelog don't start with a seperate paragraph listing fixed CVE's independent of the commit-log
kernel@lists.fedoraproject.org