Description of problem: The latest kernel in RHEL-5 (kernel-2.6.18-308.11.1.el5.src.rpm) is described here: http://rhn.redhat.com/errata/RHSA-2012-1061.html That description says the bug fixes CVE-2012-3375, however that CVE is NOT in the changelog for the kernel. Also, in looking at the kernel changelog, the following entries are detailed: * Fri Jun 15 2012 Alexander Gordeev <agordeev> [2.6.18-308.11.1.el5] * Thu Jun 14 2012 Alexander Gordeev <agordeev> [2.6.18-308.10.1.el5] * Wed Jun 06 2012 Alexander Gordeev <agordeev> [2.6.18-308.9.1.el5] * Fri May 04 2012 Alexander Gordeev <agordeev> [2.6.18-308.8.1.el5] Note: There was a 2.6.18-308.8.2.el5 kernel released on Jun2 12th, however there is no 2.6.18-308.8.2.el5 entry in this kernel. Are all the 2.6.18-308.8.2.el5 changes also included in the 2.6.18-308.11.1.el5 kernel?
Hi, Johnny. The changelog entry in question for CVE-2012-3375 is: - [fs] epoll: clear the tfile_check_list on -ELOOP (Jason Baron) [829670 817131] The 2.6.18-308.2.el5 kernel was to fix some xen issues: https://rhn.redhat.com/errata/RHSA-2012-0721.html Those fixes are included in and noted in the 2.6.18-308.10.1.el5 changelog: * Thu Jun 14 2012 Alexander Gordeev <agordeev> [2.6.18-308.10.1.el5] - [xen] x86_64: check address on trap handlers or guest callbacks (Paolo Bonzini) [813430 813431] {CVE-2012-0217} - [xen] x86_64: Do not execute sysret with a non-canonical return address (Paolo Bonzini) [813430 813431] {CVE-2012-0217} - [xen] x86: prevent hv boot on AMD CPUs with Erratum 121 (Laszlo Ersek) [824969 824970] {CVE-2012-2934} The primary difference in the changelog from 308.8.2.el5 vs 308.10.1.el5 is that the CVE name was not known at the time of 308.8.2.el5 for the last issue (CVE-2012-2934). I suspect the same may be true here, and a future kernel will note that CVE name. To answer the second question, yes, those fixes are present in 308.11.1.el5.