> The commit was made in May 2014. It was applied to the Ubuntu trusty kernel tree in June 2014. There was no mention of the security implications of the bug in the commit message, or elsewhere, so far as we can tell.
Linus did mention his policy on this [1].
On Tue, 15 Jul 2008, pageexec <at> freemail.hu wrote:
>
> by 'cover up' i meant that even when you know better, you quite
> consciously do *not* report the security impact of said bugs
Yes. Because the only place I consider appropriate is the kernel
changelogs, and since those get published with the sources, there is no
way I can convince myself that it's a good idea to say "Hey script
kiddies, try this" unless it's already very public indeed.
He also talked about this recently at debconf14 [2].
Linus did mention his policy on this [1].
He also talked about this recently at debconf14 [2].[1] http://thread.gmane.org/gmane.linux.kernel/701694/focus=7069...
[2] http://meetings-archive.debian.net/pub/debian-meetings/2014/...