Date: Tue, 26 Apr 2016 06:40:47 +0200
From: Willy Tarreau <w@1wt.eu>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: Sasha Levin <sasha.levin@oracle.com>, Jiri Slaby <jslaby@suse.cz>,
        Greg KH <greg@kroah.com>, LKML <linux-kernel@vger.kernel.org>,
        stable <stable@vger.kernel.org>, lwn@lwn.net
Subject: Re: stable-security kernel updates
Message-ID: <20160426044047.GA20437@1wt.eu>
References: <571876AB.2060106@suse.cz>
 <5718B57D.4000504@oracle.com>
 <5718C0B8.8010609@suse.cz>
 <5718C215.7060703@suse.cz>
 <20160421123918.GA2294@kroah.com>
 <5718DB7F.2010701@oracle.com>
 <5718DFF3.8020306@suse.cz>
 <5718E362.5010402@oracle.com>
 <20160421143325.GC9930@1wt.eu>
 <1461626053.14569.30.camel@decadent.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1461626053.14569.30.camel@decadent.org.uk>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 901
Lines: 24

On Tue, Apr 26, 2016 at 01:14:13AM +0200, Ben Hutchings wrote:
> On Thu, 2016-04-21 at 16:33 +0200, Willy Tarreau wrote:
> > On Thu, Apr 21, 2016 at 10:27:46AM -0400, Sasha Levin wrote:
> > > 
> > > This means that missing CVE fixes are quite common with stable
> > > trees?
> > Until someone reports they are missing :-)
> 
> Or they are unfixed upstream (there are a good few of those).
> 
> Debian has a public list of all unembargoed kernel security issues that
> have CVEs (and a few that don't), with references to any upstream
> commits and fixed stable versions - but only for the stable branches
> that our stable releases follow.
> 
> The mapping of CVE IDs to commits may be useful to other stable
> maintainers, even if the rest isn't.
> 
> svn co?svn://scm.alioth.debian.org/svn/kernel-sec/

Thanks for sharing this Ben, it can indeed be helpful sometimes and it's
well organized!

Willy