Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]

To: Otto Kekäläinen <otto@seravo.fi>
Cc: debian-release <debian-release@lists.debian.org>, pkg-mysql-maint <pkg-mysql-maint@lists.alioth.debian.org>, "Robie Basak" <robie.basak@ubuntu.com>, "Debian security team" <team@security.debian.org>
Subject: Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
Date: Mon, 11 Jan 2016 14:13:40 +0100
Message-id: <[🔎] op.ya2sc2glfswwb0@atum22.no.oracle.com>
In-reply-to: <[🔎] CAHj_TLB=P_Kqu=kpA+pyJUNX+wCpKOVCcFs9k5c-d-puatt4ew@mail.gmail.com>
References: <55AFEE09.3000907@debian.org> <55B0ACE3.3050308@debian.org> <20150723101527.GM3443@mal.justgohome.co.uk> <CAHj_TLDUHV-fBWV7Q1_iT9AHvaOXst7sYfwjKSObgoZbmkYVyA@mail.gmail.com> <20150908220328.GG3691@lupin.home.powdarrmonkey.net> <20150914101112.GP19198@mal.justgohome.co.uk> <20150916210938.GB6248@lupin.home.powdarrmonkey.net> <20151214174524.GB28475@mal.justgohome.co.uk> <20151218213105.GT28475@mal.justgohome.co.uk> <op.x93pnem2fswwb0@nitrogen> <CAHj_TLC2dRP5AERUtoDUOdt+GMeba5eVZqdY6x56JvjJCLWY0Q@mail.gmail.com> <[🔎] op.ya2ooxhtfswwb0@atum22.no.oracle.com> <[🔎] CAHj_TLB=P_Kqu=kpA+pyJUNX+wCpKOVCcFs9k5c-d-puatt4ew@mail.gmail.com>

On Mon, 11 Jan 2016 13:59:07 +0100, Otto Kekäläinen <otto@seravo.fi> wrote:

2016-01-11 13:54 GMT+02:00 Norvald H. Ryeng <norvald.ryeng@oracle.com>:

On Mon, 28 Dec 2015 13:28:18 +0100, Otto Kekäläinen <otto@seravo.fi>wrote:
Hello!

2015-12-23 16:39 GMT+02:00 Norvald H. Ryeng <norvald.ryeng@oracle.com>:
..
I know we are a bit tight with info about security issues upstream,but
all
security bugfixes are available athttps://github.com/mysql/mysql-server
as
individual commits, and a list of CVEs fixed is reported quarterly
according
to a published schedule. Apparently that's not enough.
As a side note related to this, can you please tell us in what commit
CVE-2015-4913 and CVE-2015-4737 were fixed? You probably have access to
some
internal security tracker where you can look this up, and both CVEs are
already relatively old, so you would not be releasing any sensitive
security
info.
All I have is what is public: CVE-2015-4913 was included in the latest
Critical Patch Update in October and was fixed in 5.5.46 and 5.6.27.
CVE-2015-4737 was included in the July Critical Patch Update and wasfixedin 5.5.44 and 5.6.24. Since Debian is already at 5.5.46, these don'taffect
Debian any more.

If you're asking because you want to know if these have been fixed in
MariaDB, I think you should ask MariaDB upstream instead.


Nobody outside Oracle can answer this. Oracle has reserved certain CVE
numbers for their use and as there no details in the CVE entries (just
a version number when it was fixed) nobody outside Oracle can actually
tell what the security issue or the fix was. Above you indicated that
those fixes are visible in individual commits, so I was trying my luck
if you would be able to give the information which commits those CVEs
are.

I usually don't work on security issues, and I don't have the mappingyou're asking for.

These CVEs apply to MySQL and have been fixed in the announced versions.Likewise, MariaDB should know which CVEs apply to MariaDB and when they'refixed. I can't help you with that, and I think the correct address forsuch questions is MariaDB upstream.


Regards,

Norvald

Reply to:

Follow-Ups:
- Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
  - From: "Norvald H. Ryeng" <norvald.ryeng@oracle.com>
- Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
  - From: Otto Kekäläinen <otto@seravo.fi>

Prev by Date: Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
Next by Date: Re: [debian-mysql] Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: Bug#793316: transition: mysql-5.6]
Previous by thread: Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
Next by thread: Re: Request for release team decision on MySQL and MariaDB [was: Re: Bug#793316: [debian-mysql] Bug#793316: transition: mysql-5.6]
Index(es):
- Date
- Thread