Multiple Linux distros are issuing security updates for OS versions that still use an older kernel branch after it recently came to light that a mild memory bug was in reality much worse, and the bug was recently categorized as a security flaw.
The original bug was discovered by Michael Davidson, a Google employee, back in April 2015 and was fixed in Linux kernel 4.0.
Bug initially classified as non-security issue
An initial analysis of the bug did not explore the possibility of it being used as an attack vector, so the issue was one of many bugfixes included with the newly launched (at the time) Linux kernel 4.0.
Linux kernel maintainers also ported
the patch to the older 3.x branch with the release of Linux kernel 3.10.77, but because the issue had been branded as a minor bugfix, the bug wasn't included in many Linux LTS releases.
Long-Term Releases are Linux OS versions deployed in enterprise and high-availability environments, and in most cases, they receive security-only updates, as not to pester sysadmins with constant updates that cause downtime or other production snags.
This means that while the majority of Linux desktop users running a recent kernel are not affected by this vulnerability, being patched a long time ago, some critical server systems might still be vulnerable if they're still running an older 3.x kernel as part of a Linux LTS distro.
"All versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable," the Qualys team said in an advisory released today after it made sure to inform all major Linux distros of the bug's real nature a few months ago.
