[BUG] CVE-2019-19922 inconsistency

[gotthardp]

Describe the bug The CVE-2019-19922 is said to be affecting version "v4.18-rc4 to v5.4-rc1". However, it shows it was fixed also in 4.14.154 (on the web an in stream_fixes.json). However, the CVE is not shown under 4.14 in stream_data.json.

I assume that in mainline branch the bug was introduced in v4.18 and fixed in v5.4. The bug was then likely backported to 4.14.x and later fixed in 4.14.154.

The Debian tracker says is "was backported to 3.16 and 4.14." https://salsa.debian.org/kernel-team/kernel-sec/-/blob/master/retired/CVE-2019-19922

Expected behavior

1. I expected to see the fix for 4.14 also in stream_data.json.
2. As a wish, I would love to see multiple "Breaks" if the bug was backported. There are multiple "Fixed versions" for various branches, so it would be great to see multiple "Breaks" too in situations similar to CVE-2019-19922.
3. I would love to see also 3.16 as an affected branch somewhere (if the backport was done in the official branch).

[gotthardp]

Similar situation is CVE-2019-19037. Debian analyst says the bug was backported "to various other stable trees in 5.2.4, 5.1.21, 4.19.62, 4.14.135 and 4.9.187 already." www.linuxkernelcves.com says it affects v5.3-rc1 to v5.5-rc3, but shows fixes also for 4.9, 4.14 and 4.19, which confirms Debian was right.

[nluedtke]

Yeah i think we would have to enable a way to view when individual breaking commits (those that introduced the vuln) hit the stable streams and then when the fixing commit hit. Right now we only expose when the fixing commit hit the stable stream. Which I agree can be confusing.

@quietcorey can you think of quick UI changes that expose this? Or are we looking at another section for affected stable streams that displays the vulnerable version timeline....