Bug #89430 Release notes are missing important CVE fixes
Submitted: 26 Jan 2018 8:34 Modified: 27 Mar 2018 7:01
Reporter: Roel Van de Paar Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Documentation Severity:S1 (Critical)
Version:5.x,8.x OS:Any
Assigned to: CPU Architecture:Any

[26 Jan 2018 8:34] Roel Van de Paar

Does not list important CVE fixes

There may be similar shortcomings in other releases

How to repeat:
[26 Jan 2018 9:31] Peter Laursen
IU think tat *as a matter of policy* (by Oracle) security fixes are not documented in release notes (at least not documented in detail).

This is is not the first complaint!

-- Peter
-- not a MySQL/Oracle person
[26 Jan 2018 13:29] MySQL Verification Team
Thank you for the bug report.
[29 Jan 2018 17:07] Stefan Hinz
Posted by developer:
Bug reports that include CVE numbers include the CVE in the changelog entry. Bug reports that do not include CVE numbers include no CVE in the changelog entry.
[30 Jan 2018 20:32] Roel Van de Paar
Stefan, thank you for your input. 

My personal thought on this would be that if oracle fixes CVE issues - especially high profile ones like the ones we saw here - it would be good to include them in the release notes.
[30 Jan 2018 20:33] Roel Van de Paar
Percona's 5.5 release is already updated with the fixes and we've included the CVE's fixed there based on our research


"This release contains fixes for the following CVE issues: CVE-2018-2562, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668."
[31 Jan 2018 3:45] MySQL Verification Team
This is available at "Oracle Critical Patch Update Advisory - January 2018"

[31 Jan 2018 17:05] Roel Van de Paar
Umesh, thank you. 

My request remains to include a link to CVE's (or to the page you mentioned) in the release notes when a release contains CVE fixes. 

It will help the community to identify when patches contain vulnerability fixes.
[31 Jan 2018 19:33] Roel Van de Paar
As an example, it has taken us considerable time/effort to link CVE's with specific patches in the last 5.5, 5.6 and 5.7 releases. 

There are about 21 CVE's fixed...

Ref: https://docs.google.com/spreadsheets/d/1Jm8TMxyMBQjLrWpCbw8bRG7RRKqtF7Y15_wQU42l0fc/edit#g...

Transparency is key.
[27 Mar 2018 6:11] Roel Van de Paar
Can this be verified and discussed internally please?
[27 Mar 2018 6:12] Roel Van de Paar