maria-developers team mailing list archive

Thread
Date

List affecting CVEs at mariadb.com

To: Daniel Bartholomew <dbart@xxxxxxxxxxx>
From: Otto Kekäläinen <otto@xxxxxxxxx>
Date: Mon, 11 Aug 2014 09:51:16 +0300
Cc: maria-developers <maria-developers@xxxxxxxxxxxxxxxxxxx>, maria-docs <maria-docs@xxxxxxxxxxxxxxxxxxx>, community@xxxxxxxxxxx

Hello Daniel (and others),

The usual changelogs[1] and relese notes[2] don't seem to contain CVE
identifiers, or even a separate section about fixed security issues

For the downstream security teams if would be reassuring if the CVE
information would be easily available. For example if the security
teams follow the CVE news and they for example know or suspect that
CVE-2014-4260 affects MariaDB, it would be nice to see if it is
already fixed or what version it was fixed in, so downstream security
teams can organize and prioritize their patching and release work.

Do you have any suggestion how to address this?

Should we maybe have a separate wiki page, e.g.
https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs
and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should
just each release notes include a subsection "Security" with these
details? Something else?

Of course we need to consider timing issues, e.g. a security issue
fixed in MariaDB might get publicity and a CVE only later when Oracle
releases it, and in those cases old release notes need to be upgraded
to include the CVE identifiers.


[1] https://mariadb.com/kb/en/mariadb-10013-changelog/
[2] https://mariadb.com/kb/en/mariadb-10013-release-notes/

(To be exact, googling for 'mariadb cve' does give one hit at
mariadb.com in the 5.3.12 release notes)

Follow ups

Re: List affecting CVEs at mariadb.com
From: Daniel Bartholomew, 2014-08-11