Hi!

> ** Traking CVEs
> 
> CVE-2021-21781: v4.4 is not fixed as of 2021/07/29

This is basically missing memset. Does not look evil to backport.

> CVE-2021-3655: v4.4 is not fixed as of 2021/07/29

This may need more careful look. There are 4 patches fixing this in
mainline, but only two in
5.10. c7da1d1ed43a6c2bece0d287e2415adf2868697e should be easy to
backport to 4.4.

> CVE-2021-31829: Linux kernel protection of stack pointer against
> speculative pointer arithmetic can be bypassed to leak content of
> kernel memory
> 
> Fixed status
> mainline: [f8be156be163a052a067306417cd0ff679068c97]
> stable/4.19: [117777467bc015f0dc5fc079eeba0fa80c965149]

Strange, this talks about CVE-2021-22543 in the changelog.

> CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
> Bluetooth Core Specifications 4.0 through 5.2
> 
> Not fiexd in mainline yet

> CVE-2021-3655: missing size validations on inbound SCTP packets
> 
> According to cip-kernel-sec's scripts v4.4 is not fixed as of 2021/07/29
> 
> One of a patch 50619dbf8db77e98d821d615af4f634d08e22698 is included.
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sctp?h=linux-4.4.y&id=48cd035cad5b5fad0648aa8294c4223bedb166dd

I guess this should be listed in stable/4.4: ... then?

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany