On Mon, Jan 11, 2016 at 02:13:40PM +0100, Norvald H. Ryeng wrote: > On Mon, 11 Jan 2016 13:59:07 +0100, Otto Kekäläinen <o...@seravo.fi> wrote: > > >2016-01-11 13:54 GMT+02:00 Norvald H. Ryeng <norvald.ry...@oracle.com>: > >>On Mon, 28 Dec 2015 13:28:18 +0100, Otto Kekäläinen <o...@seravo.fi> > >>wrote: > >> > >>>Hello! > >>> > >>>2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng <norvald.ry...@oracle.com>: > >>>.. > >>>> > >>>>I know we are a bit tight with info about security issues upstream, > >>>>but > >>>>all > >>>>security bugfixes are available at > >>>>https://github.com/mysql/mysql-server > >>>>as > >>>>individual commits, and a list of CVEs fixed is reported quarterly > >>>>according > >>>>to a published schedule. Apparently that's not enough. > >>> > >>> > >>>As a side note related to this, can you please tell us in what commit > >>>CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to > >>>some > >>>internal security tracker where you can look this up, and both CVEs are > >>>already relatively old, so you would not be releasing any sensitive > >>>security > >>>info. > >> > >> > >>All I have is what is public: CVE-2015-4913 was included in the latest > >>Critical Patch Update in October and was fixed in 5.5.46 and 5.6.27. > >>CVE-2015-4737 was included in the July Critical Patch Update and was > >>fixed > >>in 5.5.44 and 5.6.24. Since Debian is already at 5.5.46, these don't > >>affect > >>Debian any more. > >> > >>If you're asking because you want to know if these have been fixed in > >>MariaDB, I think you should ask MariaDB upstream instead. > > > >Nobody outside Oracle can answer this. Oracle has reserved certain CVE > >numbers for their use and as there no details in the CVE entries (just > >a version number when it was fixed) nobody outside Oracle can actually > >tell what the security issue or the fix was. Above you indicated that > >those fixes are visible in individual commits, so I was trying my luck > >if you would be able to give the information which commits those CVEs > >are. > > I usually don't work on security issues, and I don't have the mapping you're > asking for.
*Sigh*. And that is exactly the problem (and we've already pointed this out at DebConf half a year ago) We should really go ahead and move forward, the freeze isn't terribly far away. Cheers, Moritz