← Back to team overview

maria-developers team mailing list archive

Re: [Maria-docs] List affecting CVEs at mariadb.com


Hi, Daniel!

It turns out, we have a task for that:

Bryan suggested to have a macro in KB, we'll tag CVE entries in the
release notes with it, and they'll be automatically collected to a
sepatare CVE page. So I understood. Let's try to have it asap, then I'll
prepare a list of CVEs.


On Aug 11, Daniel Bartholomew wrote:
> On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@xxxxxxxxx> wrote:
> > Hello Daniel (and others),
> >
> > The usual changelogs[1] and relese notes[2] don't seem to contain CVE
> > identifiers, or even a separate section about fixed security issues
> >
> > For the downstream security teams if would be reassuring if the CVE
> > information would be easily available. For example if the security
> > teams follow the CVE news and they for example know or suspect that
> > CVE-2014-4260 affects MariaDB, it would be nice to see if it is
> > already fixed or what version it was fixed in, so downstream security
> > teams can organize and prioritize their patching and release work.
> >
> > Do you have any suggestion how to address this?
> >
> > Should we maybe have a separate wiki page, e.g.
> > https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs
> > and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should
> > just each release notes include a subsection "Security" with these
> > details? Something else?
> >
> A CVE page would be good. As would adding them to the release notes.
> If someone will take up the role of keeping a CVE page up-to-date, I
> can add a step to the release process to check the page prior to a
> release and add CVE notices to the release notes and changelog
> entries.