On Fri, May 18, 2018 at 09:00:07AM -0700, Guenter Roeck wrote:
> On Fri, May 18, 2018 at 04:52:07PM +0200, Greg Kroah-Hartman wrote:
> > On Fri, May 18, 2018 at 06:47:46AM -0700, Guenter Roeck wrote:
> > > Hi Greg,
> > >
> > > please apply commit dd83c161fbc ("kernel/exit.c: avoid undefined behaviour when calling wait4()")
> > > to v4.9.y and older to fix CVE-2018-10087.
> >
> > Odd no one asked for that one to be backported before :(
> >
>
> Not entirely surprising. The patch is from July 2017, it wasn't marked
> for stable, and the CVE has been created only recently (04/13/2018).
> CVE severity and the reference to the upstream commit were added
> yesterday, which caused our CVE tracker to barf at me.
Who applied for the CVE number? They should have been the ones to
notify people of the issue, so who should I go kick about this? :)
thanks,
greg k-h
