CVE

Posted Dec 6, 2024 19:55 UTC (Fri) by raven667 (subscriber, #5198)
In reply to: CVE by daeler
Parent article: Stable kernels 6.12.2, 6.11.11, and 4.19.325

> I assumed that a supported kernel would include fixes for known CVE's

I think the work they've been putting in on tracking bug fixes with security implications has helped make plain the simple truth that this _isn't_ happening, people aren't backporting _all_ known fixes and applying them to older kernel.org LTS releases, which is something the core kernel devs are intimately aware of but have had miserable luck in communicating with downstream developers over the decades. Issuing their own CVE tracking has lifted the wool off some people's eyes as to the real state of the kernel.

to post comments

CVE

Posted Dec 9, 2024 8:42 UTC (Mon) by taladar (subscriber, #68407) [Link]

I really don't think this is a kernel specific issue but a general flaw in the idea of LTS versions receiving backports.

The amount of effort required to literally backport every fix is just not sustainable, especially for the longer LTS support times where the user base shrinks significantly and is often mostly comprised of Enterprise customers who want to pay as little as possible while demanding to be treated entirely differently from everyone else (i.e. the people sticking to relatively up to date versions no older than a year or two at most).

Not to mention that the stability, the whole reason for staying on an old version, becomes a bigger and bigger lie the more backports introduce changes to the old version anyway.