maria-developers team mailing list archive

[Daniel Bartholomew <dbart@xxxxxxxxxxx>]

On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@xxxxxxxxx> wrote:
> Hello Daniel (and others),
>
> The usual changelogs[1] and relese notes[2] don't seem to contain CVE
> identifiers, or even a separate section about fixed security issues
>
> For the downstream security teams if would be reassuring if the CVE
> information would be easily available. For example if the security
> teams follow the CVE news and they for example know or suspect that
> CVE-2014-4260 affects MariaDB, it would be nice to see if it is
> already fixed or what version it was fixed in, so downstream security
> teams can organize and prioritize their patching and release work.
>
> Do you have any suggestion how to address this?
>
> Should we maybe have a separate wiki page, e.g.
> https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs
> and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should
> just each release notes include a subsection "Security" with these
> details? Something else?
>
> Of course we need to consider timing issues, e.g. a security issue
> fixed in MariaDB might get publicity and a CVE only later when Oracle
> releases it, and in those cases old release notes need to be upgraded
> to include the CVE identifiers.
>
>
> [1] https://mariadb.com/kb/en/mariadb-10013-changelog/
> [2] https://mariadb.com/kb/en/mariadb-10013-release-notes/
>
> (To be exact, googling for 'mariadb cve' does give one hit at
> mariadb.com in the 5.3.12 release notes)

A CVE page would be good. As would adding them to the release notes.
If someone will take up the role of keeping a CVE page up-to-date, I
can add a step to the release process to check the page prior to a
release and add CVE notices to the release notes and changelog
entries.

Thanks.

-- 
Daniel Bartholomew, MariaDB Release Manager
MariaDB | http://mariadb.com