Red Hat Enterprise Linux (RHEL) Customers have a ton of business cases that require them to run older versions of the operating systems across varied enterprise and compliance needs. This requires Red Hat to backport, test and release CVE patches and bug-fixes across 10+ z-streams.

This talk will take us through how Kernel CVEs are identified and published by kernel.org as a fairly new CNA (CVE Naming Authority), how these CVE trackers are filed against the active RHEL kernel releases, and the trials and tribunals of a young Kernel Sustaining Engineering team as they deliver CVE fixes across multiple branches of the RHEL kernel, especially in a complex and evolving environment where compliance requirements (e.g. FedRAMP) are critical to customers and partners.