Post Syndicated from corbet original https://lwn.net/Articles/973996/

Ronnie Sahlberg, Jonathan Maple, and Jeremy Allison of CiQ have published
a white
paper looking at the security-relevant bug fixes applied (or not
applied) to the RHEL 8.x kernel over time.

This means that over time, the security of the RHEL kernels get
worse and worse as more issues are discovered in the upstream code
and are potentially exploitable but fewer and fewer of the fixes
for these known bugs are back-ported into RHEL kernels.

After reaching RHEL 8.7, the theory is that the kernel has been
stabilized, with a corresponding improvement in security. However
we still have an influx of newly discovered bugs in the upstream
kernel affecting RHEL 8.7 that are not addressed. Each minor
version of upstream is released on an approximately quarterly basis
and we can see that the influx of new bugs that are unaddressed in
RHEL is growing. The number of known issues in these kernels
increases by approximately 250 new bugs per quarter or more.