Hello! 2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng <norvald.ry...@oracle.com>: .. > I know we are a bit tight with info about security issues upstream, but all > security bugfixes are available at https://github.com/mysql/mysql-server as > individual commits, and a list of CVEs fixed is reported quarterly according > to a published schedule. Apparently that's not enough.
As a side note related to this, can you please tell us in what commit CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to some internal security tracker where you can look this up, and both CVEs are already relatively old, so you would not be releasing any sensitive security info. I cannot find the commits based on the CVE descriptions, which are quite vague: CVE-2015-4913 Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML, a different vulnerability than CVE-2015-4858. CVE-2015-4737 Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier, and 5.6.23 and earlier, allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Pluggable Auth. It would be good if the security team would have access to the "real" CVE data behind these vague titles.
