https://www.securityfocus.com/bid/108410
From the RedHat bug discussion:
https://bugzilla.redhat.com/show_bug.cgi?id=1709180
A flaw was found in the Linux kernels implementation of IPMI (remote baseband access) where an attacker with local access to read /proc/ioports may be able to create a use-after-free condition when the kernel module is unloaded. The use after-free condition may result in privilege escalation. Investigation is ongoing.
See https://security-tracker.debian.org/tracker/CVE-2019-11811 for a lot of other distro links (the Source section at the top).
(Score: 5, Insightful) by The Shire on Monday July 22 2019, @07:51PM
It totally has, no need to look it up. But that's the exception to the rule - it's really rare. And you can manually reverse out a patch like that very quickly.
The difference of course is your exposure time is vastly reduced when you maintain a regular patch schedule. Debian for example is very fast to get security patches out so if you maintain an up to date kernel and ancillary packages your exposure is at most a few hours and that assumes you aren't manually patching even sooner. Your odds of staying "safe" are greatly improved by simply keeping your crap up to date.
By the time that exim zero day made the news all the systems under my control had already self patched. It's the folks who manually patch and subsequently forget to do it that get bitten in the ass. Botnets are made of all the orphaned servers that IT has forgotten about.
So yea, I'm perfectly happy letting everything patch constantly. It's rare that a service needs to be restarted and even more rare that a server itself needs a restart. And in a cluster, having machines performed staggered restarts doesn't even impact the production environment they run in.
Really no good reason not to perform continuous patching.