> On 23 Jan 2025, at 02:42, Solar Designer <so...@openwall.com> wrote: > > Hi, > > Once in a while, Oracle publishes what they call Critical Patch Update > documents, which list many vulnerabilities addressed across many Oracle > products, some of them Open Source and some not. This is great, but it > would be even better if Oracle also communicated to oss-security about > those vulnerabilities in its Open Source products, perhaps one message > per product (e.g., MySQL separately from VirtualBox). I hope someone > from Oracle reads this and will get the wheels moving. Anyone?
I did try. The people that publish the CPUs weren't interested :( jch > > Meanwhile, the latest Critical Patch Update is: > > https://blogs.oracle.com/security/post/january-2025-cpu-released > https://www.oracle.com/security-alerts/cpujan2025.html > > For MySQL, it says: > > https://www.oracle.com/security-alerts/cpujan2025.html#AppendixMSQL > > "Oracle MySQL Risk Matrix > > This Critical Patch Update contains 39 new security patches, plus > additional third party patches noted below, for Oracle MySQL. 4 of > these vulnerabilities may be remotely exploitable without > authentication, i.e., may be exploited over a network without requiring > user credentials. The English text form of this Risk Matrix can be > found here." > > and links to: > > https://www.oracle.com/security-alerts/cpujan2025verbose.html#MSQL > > and lists additional information on some CVEs not included in the matrix > itself (duplicate or not vulnerable). With so many CVEs, all of this is > rather long, but I imagine someone from Oracle - or someone external - > could copy-paste the "English text form of this Risk Matrix" and the > extra notes on a few CVEs to a separate message focusing on MySQL. > > Similarly, there's info on a couple of VirtualBox CVEs here, which would > ideally be a separate message with copy-pasted detail: > > https://www.oracle.com/security-alerts/cpujan2025.html#AppendixOVIR > https://www.oracle.com/security-alerts/cpujan2025verbose.html#OVIR > > Perhaps there's more Open Source software listed in there, which needs > similar treatment. Not only this time, but each time, please. > > Alexander
signature.asc
Description: Message signed with OpenPGP
