[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Norvald H. Ryeng norvald.ryeng at oracle.com
Mon Jan 11 13:13:40 UTC 2016 

On Mon, 11 Jan 2016 13:59:07 +0100, Otto Kekäläinen <otto at seravo.fi> wrote:

> 2016-01-11 13:54 GMT+02:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
>> On Mon, 28 Dec 2015 13:28:18 +0100, Otto Kekäläinen <otto at seravo.fi>  
>> wrote:
>>
>>> Hello!
>>>
>>> 2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
>>> ..
>>>>
>>>> I know we are a bit tight with info about security issues upstream,  
>>>> but
>>>> all
>>>> security bugfixes are available at  
>>>> https://github.com/mysql/mysql-server
>>>> as
>>>> individual commits, and a list of CVEs fixed is reported quarterly
>>>> according
>>>> to a published schedule. Apparently that's not enough.
>>>
>>>
>>> As a side note related to this, can you please tell us in what commit
>>> CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to
>>> some
>>> internal security tracker where you can look this up, and both CVEs are
>>> already relatively old, so you would not be releasing any sensitive
>>> security
>>> info.
>>
>>
>> All I have is what is public: CVE-2015-4913 was included in the latest
>> Critical Patch Update in October and was fixed in 5.5.46 and 5.6.27.
>> CVE-2015-4737 was included in the July Critical Patch Update and was  
>> fixed
>> in 5.5.44 and 5.6.24. Since Debian is already at 5.5.46, these don't  
>> affect
>> Debian any more.
>>
>> If you're asking because you want to know if these have been fixed in
>> MariaDB, I think you should ask MariaDB upstream instead.
>
> Nobody outside Oracle can answer this. Oracle has reserved certain CVE
> numbers for their use and as there no details in the CVE entries (just
> a version number when it was fixed) nobody outside Oracle can actually
> tell what the security issue or the fix was. Above you indicated that
> those fixes are visible in individual commits, so I was trying my luck
> if you would be able to give the information which commits those CVEs
> are.

I usually don't work on security issues, and I don't have the mapping  
you're asking for.

These CVEs apply to MySQL and have been fixed in the announced versions.  
Likewise, MariaDB should know which CVEs apply to MariaDB and when they're  
fixed. I can't help you with that, and I think the correct address for  
such questions is MariaDB upstream.

Regards,

Norvald

More information about the pkg-mysql-maint mailing list