Hi, Daniel! It turns out, we have a task for that: https://mariadb.atlassian.net/browse/MDEV-4105
Bryan suggested to have a macro in KB, we'll tag CVE entries in the release notes with it, and they'll be automatically collected to a sepatare CVE page. So I understood. Let's try to have it asap, then I'll prepare a list of CVEs. Regards, Sergei On Aug 11, Daniel Bartholomew wrote: > On Mon, Aug 11, 2014 at 2:51 AM, Otto Kekäläinen <o...@seravo.fi> wrote: > > Hello Daniel (and others), > > > > The usual changelogs[1] and relese notes[2] don't seem to contain CVE > > identifiers, or even a separate section about fixed security issues > > > > For the downstream security teams if would be reassuring if the CVE > > information would be easily available. For example if the security > > teams follow the CVE news and they for example know or suspect that > > CVE-2014-4260 affects MariaDB, it would be nice to see if it is > > already fixed or what version it was fixed in, so downstream security > > teams can organize and prioritize their patching and release work. > > > > Do you have any suggestion how to address this? > > > > Should we maybe have a separate wiki page, e.g. > > https://mariadb.com/kb/en/mariadb/cve/ that would have a table of CVEs > > and MariaDB 5.5/10.0/Galera versions where they are fixed? Or should > > just each release notes include a subsection "Security" with these > > details? Something else? > > > A CVE page would be good. As would adding them to the release notes. > If someone will take up the role of keeping a CVE page up-to-date, I > can add a step to the release process to check the page prior to a > release and add CVE notices to the release notes and changelog > entries. _______________________________________________ Mailing list: https://launchpad.net/~maria-developers Post to : maria-developers@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-developers More help : https://help.launchpad.net/ListHelp