While keeping track of USNs for the Stack Clash vulnerability, I noticed that already published USNs were showing up before ones published later. USNs 33{24..27}-1 were originally published on the 19th, and now they show a date of 21st (compare the webpage with the mailing list post for 3324-1). For 3324-1, it seems some kernel packages were dropped from the list. However, it is tedious to examine all the updated USNs manually.
Is there a place where I can see what changed in a USN?
Aside: why would they update an USN, instead of posting a new one and incrementing the number after the hyphen?
Best Answer
Unfortunately, there are no changelogs of updates to the USNs themselves. Usually, once published, the USNs do not change, other than to fix a typo or make a slight wording change.
For the set of kernel USNs that covered the Stack Clash issue (CVE-2017-1000364), mistakes were made in the publication process that included references and descriptions to fixes that were not actually included in the kernels published to the -security pockets. They covered issues that were pending for the next round of regular Stable Release Update cadence kernels. Due to this, the USNs were updated to include only the CVE-2017-1000364 reference and description.
These issues will be addressed in the next round of kernel updates, which were planned to be released already, but were delayed due to the need to incorporate the fixes for CVE-2017-1000364, as well as to address regressions introduced by the Stack Clash fixes.