Security Vulnerabilities for LTS Kernel 5.10

[Herbert220930]

A commercial security scan of Linux Kernel 5.10.136 (linux-5.10.136.tar.gz at https://cdn.kernel.org/pub/linux/kernel/v5.x) returned the following high severity vulnerabilities: CVE-2021-3493, CVE-2022-39189, WS-2021-0553, CVE-2021-32078, CVE-2017-15868, WS-2021-0561, WS-2021-0566, CVE-2022-1943, CVE-2021-20194, WS-2021-0557, WS-2021-0274

I believe that most of them are false positives because:

• Kernel 5.10 is an LTS release with the projected EOL date December 2026. (See https://www.kernel.org/category/releases.html) so that I assume that high severity security bugs are fixed.
• https://www.cvedetails.com/version/646876/Linux-Linux-Kernel-5.10.html does not report known vulnerability for the kernel 5.10:
• I did not find fixes for these vulnerability in the change log between 5.10.136 and 5.10.146 which is currently the latest 5.10 version.

I took a deeper look into CVE-2021-3493 which is fixed by https://github.com/gregkh/linux/commit/7c03e2cda4a584cadc398e8f6641ca9988a39d52. It is merged to kernel versions 5.11 or higher but NOT to version 5.10.

This raises the following questions:

• What is the policy regarding fixes of security bugs for the Kernel 5.10?
• Is anywhere a documentation for security vulnerabilities available which minimum kernel release introduced this vulnerability?
• Is there any other LTS/stable branch with a lower number of known vulnerabilities?

 

[kc1di]

which distro are you using? The answer to your last question will depend somewhat on the distro in use. For instance ubuntu has their own kernel team and produces modified kernels for their releases that are also used by Linux Mint and others.

 

[Herbert220930]

I have an own hardware and I am using the kernel source directly from https://cdn.kernel.org/pub/linux/kernel/v5.x. I do not use a Linux distribution.

 

[wizardfromoz]

@Herbert220930

Just in case of any misapprehension on your part, we are not an official arm nor organ of Linux, just scored the dot org name - we are manned by volunteer staff who share a love of Linux and have varying skills in various departments.

So basically, most of us would not a clue regarding your questions.

You are better advised to ask at kernel.org

Chris Turner
wizardfromoz

 

[Herbert220930]

Hi Chris,

Thanks for your hint. Can you give me a more specific hint (like email address or full URL) where I can ask this question?

Many thanks,
Herbert