Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-11207

Docs Request: Create Security Matrix for CVEs

Details

    Description

      I'd like to propose that we add a security matrix on our site for CVEs that exist and are fixed, like Oracle does for MySQL here:

      http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL

      Note the CVSS Version 3 Metrics are [apparently] puled from here:

      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304

      Thank you for your consideration.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          ccalender Chris Calender (Inactive) created issue -
          danblack Daniel Black added a comment -

          https://mariadb.com/kb/en/mariadb/security/ is sufficient?

          danblack Daniel Black added a comment - https://mariadb.com/kb/en/mariadb/security/ is sufficient?
          ccalender Chris Calender (Inactive) added a comment -

          This is great.

          However, do you think we could add one more link, for each CVE, that goes to the web.nvd.nist.gov site (which contains the CVSS Version 3 Metrics/Scores)?

          Here is an example link:

          https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304

          This would make it a one-stop shop, so-to-speak, and then we could avoid the whole "matrix".

          ccalender Chris Calender (Inactive) added a comment - This is great. However, do you think we could add one more link, for each CVE, that goes to the web.nvd.nist.gov site (which contains the CVSS Version 3 Metrics/Scores)? Here is an example link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304 This would make it a one-stop shop, so-to-speak, and then we could avoid the whole "matrix".
          serg Sergei Golubchik made changes -
          Field Original Value New Value
          Priority Minor [ 4 ] Major [ 3 ]
          serg Sergei Golubchik made changes -
          Component/s Documentation [ 10903 ]
          serg Sergei Golubchik made changes -
          Labels security
          serg Sergei Golubchik made changes -
          Fix Version/s N/A [ 14700 ]
          serg Sergei Golubchik made changes -
          Assignee Rasmus Johansson [ ratzpo ]
          serg Sergei Golubchik made changes -
          Due Date 2017-06-26
          ratzpo Rasmus Johansson (Inactive) added a comment -

          Check last comment from Chris. Could we add that link for each CVE?

          ratzpo Rasmus Johansson (Inactive) added a comment - Check last comment from Chris. Could we add that link for each CVE?
          ratzpo Rasmus Johansson (Inactive) made changes -
          Assignee Rasmus Johansson [ ratzpo ] Daniel Bartholomew [ dbart ]
          serg Sergei Golubchik added a comment - - edited

          It's normally available from the CVE page. Like our CVE-2012-5614 link points to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614. And at the top of that page there's a link Learn more at National Vulnerability Database (NVD)

          serg Sergei Golubchik added a comment - - edited It's normally available from the CVE page. Like our CVE-2012-5614 link points to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614 . And at the top of that page there's a link Learn more at National Vulnerability Database (NVD)
          dbart Daniel Bartholomew added a comment - - edited

          In the KB any CVE-XXXX-XXXX text is automatically turned into a link to cve.mitre.org using the built-in auto-link feature. This feature doesn't have a way to turn a single CVE ID into two separate links, not right now at least. Such a thing could be added, but it would require a rewrite of the auto-link feature to allow for a single bit of text to be transformed into multiple links. bryan would know more about how feasible this would be.

          dbart Daniel Bartholomew added a comment - - edited In the KB any CVE-XXXX-XXXX text is automatically turned into a link to cve.mitre.org using the built-in auto-link feature. This feature doesn't have a way to turn a single CVE ID into two separate links, not right now at least. Such a thing could be added, but it would require a rewrite of the auto-link feature to allow for a single bit of text to be transformed into multiple links. bryan would know more about how feasible this would be.
          dbart Daniel Bartholomew made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Closed [ 6 ]
          serg Sergei Golubchik made changes -
          Workflow MariaDB v3 [ 78172 ] MariaDB v4 [ 132990 ]

          People

            dbart Daniel Bartholomew
            ccalender Chris Calender (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.