[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Otto Kekäläinen otto at seravo.fi
Mon Dec 28 12:28:18 UTC 2015


Hello!

2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
..
> I know we are a bit tight with info about security issues upstream, but all
> security bugfixes are available at https://github.com/mysql/mysql-server as
> individual commits, and a list of CVEs fixed is reported quarterly according
> to a published schedule. Apparently that's not enough.

As a side note related to this, can you please tell us in what commit
CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to some
internal security tracker where you can look this up, and both CVEs are
already relatively old, so you would not be releasing any sensitive security
info.

I cannot find the commits based on the CVE descriptions, which are quite vague:

CVE-2015-4913
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier
and 5.6.26 and earlier allows remote authenticated users to affect
availability via vectors related to Server : DML, a different
vulnerability than CVE-2015-4858.

CVE-2015-4737
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier,
and 5.6.23 and earlier, allows remote authenticated users to affect
confidentiality via unknown vectors related to Server : Pluggable
Auth.

It would be good if the security team would have access to the "real"
CVE data behind these vague titles.



More information about the pkg-mysql-maint mailing list