[Maria-developers] List affecting CVEs at mariadb.com
Hello Daniel (and others), The usual changelogs[1] and relese notes[2] don't seem to contain CVE identifiers, or even a separate section about fixed security issues For the downstream security teams if would be reassuring if the CVE information would be easily available. For example if the security teams follow the CVE news and they for example know or suspect that CVE-2014-4260 affects MariaDB, it would be nice to see if it is already fixed or what version it was fixed in, so downstream security teams can organize and prioritize their patching and release work. Do you have any suggestion how to address this? Should we maybe have a separate wiki page, e.g. https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should just each release notes include a subsection "Security" with these details? Something else? Of course we need to consider timing issues, e.g. a security issue fixed in MariaDB might get publicity and a CVE only later when Oracle releases it, and in those cases old release notes need to be upgraded to include the CVE identifiers. [1] https://mariadb.com/kb/en/mariadb-10013-changelog/ [2] https://mariadb.com/kb/en/mariadb-10013-release-notes/ (To be exact, googling for 'mariadb cve' does give one hit at mariadb.com in the 5.3.12 release notes)
On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@seravo.fi> wrote:
Hello Daniel (and others),
The usual changelogs[1] and relese notes[2] don't seem to contain CVE identifiers, or even a separate section about fixed security issues
For the downstream security teams if would be reassuring if the CVE information would be easily available. For example if the security teams follow the CVE news and they for example know or suspect that CVE-2014-4260 affects MariaDB, it would be nice to see if it is already fixed or what version it was fixed in, so downstream security teams can organize and prioritize their patching and release work.
Do you have any suggestion how to address this?
Should we maybe have a separate wiki page, e.g. https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should just each release notes include a subsection "Security" with these details? Something else?
Of course we need to consider timing issues, e.g. a security issue fixed in MariaDB might get publicity and a CVE only later when Oracle releases it, and in those cases old release notes need to be upgraded to include the CVE identifiers.
[1] https://mariadb.com/kb/en/mariadb-10013-changelog/ [2] https://mariadb.com/kb/en/mariadb-10013-release-notes/
(To be exact, googling for 'mariadb cve' does give one hit at mariadb.com in the 5.3.12 release notes)
A CVE page would be good. As would adding them to the release notes. If someone will take up the role of keeping a CVE page up-to-date, I can add a step to the release process to check the page prior to a release and add CVE notices to the release notes and changelog entries. Thanks. -- Daniel Bartholomew, MariaDB Release Manager MariaDB | http://mariadb.com
Hello! 2014-08-12 2:36 GMT+03:00 Daniel Bartholomew <dbart@mariadb.com>:
On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@seravo.fi> wrote: ...
The usual changelogs[1] and relese notes[2] don't seem to contain CVE identifiers, or even a separate section about fixed security issues ... Do you have any suggestion how to address this? ... A CVE page would be good. As would adding them to the release notes. If someone will take up the role of keeping a CVE page up-to-date, I can add a step to the release process to check the page prior to a release and add CVE notices to the release notes and changelog entries.
Any updates on this? The Debian release and security team have stated that they are concerned about the state on MySQL in Debian. It would very much help to champion MariaDB in this context if I could show that upstream MariaDB is responsive and has started to maintain CVE identifiers in their release documentation... Maybe you can just open a wiki page and copy the CVE identifiers and security release info from my changelog file (http://anonscm.debian.org/cgit/pkg-mysql/mariadb-5.5.git/tree/debian/changel...) to the wiki page as a quick fix for the current situation? And the remember to expand the page while preparing the next releases?
Hi, Daniel! It turns out, we have a task for that: https://mariadb.atlassian.net/browse/MDEV-4105 Bryan suggested to have a macro in KB, we'll tag CVE entries in the release notes with it, and they'll be automatically collected to a sepatare CVE page. So I understood. Let's try to have it asap, then I'll prepare a list of CVEs. Regards, Sergei On Aug 11, Daniel Bartholomew wrote:
On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <otto@seravo.fi> wrote:
Hello Daniel (and others),
The usual changelogs[1] and relese notes[2] don't seem to contain CVE identifiers, or even a separate section about fixed security issues
For the downstream security teams if would be reassuring if the CVE information would be easily available. For example if the security teams follow the CVE news and they for example know or suspect that CVE-2014-4260 affects MariaDB, it would be nice to see if it is already fixed or what version it was fixed in, so downstream security teams can organize and prioritize their patching and release work.
Do you have any suggestion how to address this?
Should we maybe have a separate wiki page, e.g. https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should just each release notes include a subsection "Security" with these details? Something else?
A CVE page would be good. As would adding them to the release notes. If someone will take up the role of keeping a CVE page up-to-date, I can add a step to the release process to check the page prior to a release and add CVE notices to the release notes and changelog entries.
participants (3)
-
Daniel Bartholomew -
Otto Kekäläinen -
Sergei Golubchik