| Bug #89430 | Release notes are missing important CVE fixes | ||
|---|---|---|---|
| Submitted: | 26 Jan 2018 8:34 | Modified: | 27 Mar 2018 7:01 |
| Reporter: | Roel Van de Paar | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Documentation | Severity: | S1 (Critical) |
| Version: | 5.x,8.x | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[26 Jan 2018 8:34]
Roel Van de Paar
[26 Jan 2018 9:31]
Peter Laursen
IU think tat *as a matter of policy* (by Oracle) security fixes are not documented in release notes (at least not documented in detail). This is is not the first complaint! -- Peter -- not a MySQL/Oracle person
[26 Jan 2018 13:29]
MySQL Verification Team
Thank you for the bug report.
[29 Jan 2018 17:07]
Stefan Hinz
Posted by developer: Bug reports that include CVE numbers include the CVE in the changelog entry. Bug reports that do not include CVE numbers include no CVE in the changelog entry.
[30 Jan 2018 20:32]
Roel Van de Paar
Stefan, thank you for your input. My personal thought on this would be that if oracle fixes CVE issues - especially high profile ones like the ones we saw here - it would be good to include them in the release notes.
[30 Jan 2018 20:33]
Roel Van de Paar
Percona's 5.5 release is already updated with the fixes and we've included the CVE's fixed there based on our research https://www.percona.com/blog/2018/01/30/percona-server-for-mysql-5-5-59-38-11-is-now-avail... "This release contains fixes for the following CVE issues: CVE-2018-2562, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668."
[31 Jan 2018 3:45]
MySQL Verification Team
This is available at "Oracle Critical Patch Update Advisory - January 2018" http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL
[31 Jan 2018 17:05]
Roel Van de Paar
Umesh, thank you. My request remains to include a link to CVE's (or to the page you mentioned) in the release notes when a release contains CVE fixes. It will help the community to identify when patches contain vulnerability fixes.
[31 Jan 2018 19:33]
Roel Van de Paar
As an example, it has taken us considerable time/effort to link CVE's with specific patches in the last 5.5, 5.6 and 5.7 releases. There are about 21 CVE's fixed... Ref: https://docs.google.com/spreadsheets/d/1Jm8TMxyMBQjLrWpCbw8bRG7RRKqtF7Y15_wQU42l0fc/edit#g... Transparency is key.
[27 Mar 2018 6:11]
Roel Van de Paar
Can this be verified and discussed internally please?
[27 Mar 2018 6:12]
Roel Van de Paar
.
