On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <o...@seravo.fi> wrote: > Hello Daniel (and others), > > The usual changelogs[1] and relese notes[2] don't seem to contain CVE > identifiers, or even a separate section about fixed security issues > > For the downstream security teams if would be reassuring if the CVE > information would be easily available. For example if the security > teams follow the CVE news and they for example know or suspect that > CVE-2014-4260 affects MariaDB, it would be nice to see if it is > already fixed or what version it was fixed in, so downstream security > teams can organize and prioritize their patching and release work. > > Do you have any suggestion how to address this? > > Should we maybe have a separate wiki page, e.g. > https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs > and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should > just each release notes include a subsection "Security" with these > details? Something else? > > Of course we need to consider timing issues, e.g. a security issue > fixed in MariaDB might get publicity and a CVE only later when Oracle > releases it, and in those cases old release notes need to be upgraded > to include the CVE identifiers. > > > [1] https://mariadb.com/kb/en/mariadb-10013-changelog/ > [2] https://mariadb.com/kb/en/mariadb-10013-release-notes/ > > (To be exact, googling for 'mariadb cve' does give one hit at > mariadb.com in the 5.3.12 release notes)
A CVE page would be good. As would adding them to the release notes. If someone will take up the role of keeping a CVE page up-to-date, I can add a step to the release process to check the page prior to a release and add CVE notices to the release notes and changelog entries. Thanks. -- Daniel Bartholomew, MariaDB Release Manager MariaDB | http://mariadb.com _______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp
