Herbert220930
New Member
A commercial security scan of Linux Kernel 5.10.136 (linux-5.10.136.tar.gz at https://cdn.kernel.org/pub/linux/kernel/v5.x) returned the following high severity vulnerabilities: CVE-2021-3493, CVE-2022-39189, WS-2021-0553, CVE-2021-32078, CVE-2017-15868, WS-2021-0561, WS-2021-0566, CVE-2022-1943, CVE-2021-20194, WS-2021-0557, WS-2021-0274
I believe that most of them are false positives because:
This raises the following questions:
I believe that most of them are false positives because:
- Kernel 5.10 is an LTS release with the projected EOL date December 2026. (See https://www.kernel.org/category/releases.html) so that I assume that high severity security bugs are fixed.
- https://www.cvedetails.com/version/646876/Linux-Linux-Kernel-5.10.html does not report known vulnerability for the kernel 5.10:
- I did not find fixes for these vulnerability in the change log between 5.10.136 and 5.10.146 which is currently the latest 5.10 version.
This raises the following questions:
- What is the policy regarding fixes of security bugs for the Kernel 5.10?
- Is anywhere a documentation for security vulnerabilities available which minimum kernel release introduced this vulnerability?
- Is there any other LTS/stable branch with a lower number of known vulnerabilities?