← Back to team overview

maria-developers team mailing list archive

Re: List affecting CVEs at mariadb.com

 

Hello!

2014-08-12 2:36 GMT+03:00 Daniel Bartholomew <dbart@xxxxxxxxxxx>:
> On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@xxxxxxxxx> wrote:
...
>> The usual changelogs[1] and relese notes[2] don't seem to contain CVE
>> identifiers, or even a separate section about fixed security issues
...
>> Do you have any suggestion how to address this?
...
> A CVE page would be good. As would adding them to the release notes.
> If someone will take up the role of keeping a CVE page up-to-date, I
> can add a step to the release process to check the page prior to a
> release and add CVE notices to the release notes and changelog
> entries.

Any updates on this?

The Debian release and security team have stated that they are
concerned about the state on MySQL in Debian. It would very much help
to champion MariaDB in this context if I could show that upstream
MariaDB is responsive and has started to maintain CVE identifiers in
their release documentation...

Maybe you can just open a wiki page and copy the CVE identifiers and
security release info from my changelog file
(http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/tree/debian/changelog)
to the wiki page as a quick fix for the current situation? And the
remember to expand the page while preparing the next releases?


References