Here is the CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229 Here is the referenced upstream patch: https://github.com/torvalds/linux/commit/197c949e7798fbf28cfadc69d9ca0c2abbf93191 It is missing from 4.1.39 (I checked) and applies. sys-kernel/gentoo-sources-4.1.39 and sys-kernel/vanilla-sources-4.1.39 are both vulnerable.
I would like to notify the Linux 4.1.y maintainer about this, but there is bold red text saying not to disclose anything or commit anything, so please let me know what I should do.
*** This bug has been marked as a duplicate of bug 615480 ***
I have notified the 4.1.y maintainer by email as per my discussion with Yury.
masked =vanilla-sources-4.1.39 https://github.com/gentoo/gentoo/commit/9f7aab68a74249534e48c2745b9f480f427859d1
Issue is public. Maintainer was notified via LKML >14d ago. Dupe of bug 615480. *** This bug has been marked as a duplicate of bug 615480 ***