Bug #89430 Release notes are missing important CVE fixes
Submitted: 26 Jan 8:34 Modified: 27 Mar 7:01
Reporter: Roel Van de Paar (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Documentation Severity:S1 (Critical)
Version:5.x,8.x OS:Any
Assigned to: CPU Architecture:Any

[26 Jan 8:34] Roel Van de Paar
Description:
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-59.html

Does not list important CVE fixes

There may be similar shortcomings in other releases

How to repeat:
https://www.debian.org/security/2018/dsa-4091
https://security-tracker.debian.org/tracker/CVE-2018-2562
https://security-tracker.debian.org/tracker/CVE-2018-2647
etc.
[26 Jan 9:31] Peter Laursen
IU think tat *as a matter of policy* (by Oracle) security fixes are not documented in release notes (at least not documented in detail).

This is is not the first complaint!

-- Peter
-- not a MySQL/Oracle person
[26 Jan 13:29] Miguel Solorzano
Thank you for the bug report.
[29 Jan 17:07] Stefan Hinz
Posted by developer:
 
Bug reports that include CVE numbers include the CVE in the changelog entry. Bug reports that do not include CVE numbers include no CVE in the changelog entry.
[30 Jan 20:32] Roel Van de Paar
Stefan, thank you for your input. 

My personal thought on this would be that if oracle fixes CVE issues - especially high profile ones like the ones we saw here - it would be good to include them in the release notes.
[30 Jan 20:33] Roel Van de Paar
Percona's 5.5 release is already updated with the fixes and we've included the CVE's fixed there based on our research

https://www.percona.com/blog/2018/01/30/percona-server-for-mysql-5-5-59-38-11-is-now-avail...

"This release contains fixes for the following CVE issues: CVE-2018-2562, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668."
[31 Jan 3:45] Umesh Shastry
This is available at "Oracle Critical Patch Update Advisory - January 2018"

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL
[31 Jan 17:05] Roel Van de Paar
Umesh, thank you. 

My request remains to include a link to CVE's (or to the page you mentioned) in the release notes when a release contains CVE fixes. 

It will help the community to identify when patches contain vulnerability fixes.
[31 Jan 19:33] Roel Van de Paar
As an example, it has taken us considerable time/effort to link CVE's with specific patches in the last 5.5, 5.6 and 5.7 releases. 

There are about 21 CVE's fixed...

Ref: https://docs.google.com/spreadsheets/d/1Jm8TMxyMBQjLrWpCbw8bRG7RRKqtF7Y15_wQU42l0fc/edit#g...

Transparency is key.
[27 Mar 6:11] Roel Van de Paar
Can this be verified and discussed internally please?
[27 Mar 6:12] Roel Van de Paar
.