[debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]

Moritz Mühlenhoff jmm at inutil.org
Mon Jan 11 18:27:30 UTC 2016 

On Mon, Jan 11, 2016 at 02:13:40PM +0100, Norvald H. Ryeng wrote:
> On Mon, 11 Jan 2016 13:59:07 +0100, Otto Kekäläinen <otto at seravo.fi> wrote:
> 
> >2016-01-11 13:54 GMT+02:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
> >>On Mon, 28 Dec 2015 13:28:18 +0100, Otto Kekäläinen <otto at seravo.fi>
> >>wrote:
> >>
> >>>Hello!
> >>>
> >>>2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng <norvald.ryeng at oracle.com>:
> >>>..
> >>>>
> >>>>I know we are a bit tight with info about security issues upstream,
> >>>>but
> >>>>all
> >>>>security bugfixes are available at
> >>>>https://github.com/mysql/mysql-server
> >>>>as
> >>>>individual commits, and a list of CVEs fixed is reported quarterly
> >>>>according
> >>>>to a published schedule. Apparently that's not enough.
> >>>
> >>>
> >>>As a side note related to this, can you please tell us in what commit
> >>>CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to
> >>>some
> >>>internal security tracker where you can look this up, and both CVEs are
> >>>already relatively old, so you would not be releasing any sensitive
> >>>security
> >>>info.
> >>
> >>
> >>All I have is what is public: CVE-2015-4913 was included in the latest
> >>Critical Patch Update in October and was fixed in 5.5.46 and 5.6.27.
> >>CVE-2015-4737 was included in the July Critical Patch Update and was
> >>fixed
> >>in 5.5.44 and 5.6.24. Since Debian is already at 5.5.46, these don't
> >>affect
> >>Debian any more.
> >>
> >>If you're asking because you want to know if these have been fixed in
> >>MariaDB, I think you should ask MariaDB upstream instead.
> >
> >Nobody outside Oracle can answer this. Oracle has reserved certain CVE
> >numbers for their use and as there no details in the CVE entries (just
> >a version number when it was fixed) nobody outside Oracle can actually
> >tell what the security issue or the fix was. Above you indicated that
> >those fixes are visible in individual commits, so I was trying my luck
> >if you would be able to give the information which commits those CVEs
> >are.
> 
> I usually don't work on security issues, and I don't have the mapping you're
> asking for.

*Sigh*. And that is exactly the problem (and we've already pointed this
out at DebConf half a year ago)

We should really go ahead and move forward, the freeze isn't terribly far away.

Cheers,
        Moritz

More information about the pkg-mysql-maint mailing list