Bug #89430 Release notes are missing important CVE fixes
Submitted: 26 Jan 8:34 Modified: 31 Jan 19:33
Reporter: Roel Van de Paar (OCA) Email Updates:
Status: Open Impact on me:
Category:MySQL Server: Documentation Severity:S1 (Critical)
Version:5.x OS:Any
Assigned to: CPU Architecture:Any

[26 Jan 8:34] Roel Van de Paar

Does not list important CVE fixes

There may be similar shortcomings in other releases

How to repeat:
[26 Jan 9:31] Peter Laursen
IU think tat *as a matter of policy* (by Oracle) security fixes are not documented in release notes (at least not documented in detail).

This is is not the first complaint!

-- Peter
-- not a MySQL/Oracle person
[26 Jan 13:29] Godofredo Miguel Solorzano
Thank you for the bug report.
[29 Jan 17:07] Stefan Hinz
Posted by developer:
Bug reports that include CVE numbers include the CVE in the changelog entry. Bug reports that do not include CVE numbers include no CVE in the changelog entry.
[30 Jan 20:32] Roel Van de Paar
Stefan, thank you for your input. 

My personal thought on this would be that if oracle fixes CVE issues - especially high profile ones like the ones we saw here - it would be good to include them in the release notes.
[30 Jan 20:33] Roel Van de Paar
Percona's 5.5 release is already updated with the fixes and we've included the CVE's fixed there based on our research


"This release contains fixes for the following CVE issues: CVE-2018-2562, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668."
[31 Jan 3:45] Umesh Shastry
This is available at "Oracle Critical Patch Update Advisory - January 2018"

[31 Jan 17:05] Roel Van de Paar
Umesh, thank you. 

My request remains to include a link to CVE's (or to the page you mentioned) in the release notes when a release contains CVE fixes. 

It will help the community to identify when patches contain vulnerability fixes.
[31 Jan 19:33] Roel Van de Paar
As an example, it has taken us considerable time/effort to link CVE's with specific patches in the last 5.5, 5.6 and 5.7 releases. 

There are about 21 CVE's fixed...

Ref: https://docs.google.com/spreadsheets/d/1Jm8TMxyMBQjLrWpCbw8bRG7RRKqtF7Y15_wQU42l0fc/edit#g...

Transparency is key.