I have a question about CVE numbers. We are trying to check if CVE-2011-1013 is covered by our kernel version. The kernel version itself would suggest that this has been patched as its greater than recommended, BUT there is no mention of this CVE number in the change log information in the package.

Is it usual for not all CVE numbers not to be documented in the changelog? If so I assume we have only the version number to go by is this correct?

Seeking clarification.