Your headline's misleading. Red Hat knows it's long been fixed in the LTS kernels, but it still needs patching in the RHEL kernels. Generally speaking, current LTS kernels are not used in older Linux distros.
Can someone in the kernel dev space give a longer explanation for this?<p>This looks to me like Red Hat assigning a CVE to something patched a long time ago. Is this just record keeping to label security issues with CVEs or has Red Hat left this unpatched for 17 months? (Or something else?)
I really hate the fact that RHEL updates kernels so slowly. This becomes very painful when your product cannot take advantage of some advanced kernel features just because you have customers running RHEL :(.
While RedHat's backporting might not be great, i believe that upstream would do good if they would change their mind about having or not a well defined vulnerability identification and notification system.<p>It's understandable that almost every piece of kernel code could potentially be a bad actor thus it would be tough to identify if every fix has security implications or not.<p>Still there must be a middle ground around common exploitation methods.