How to find out if a release contains security-related fixes?

Often release notes for the server component just say “Bug fixes”, but how can we tell if security-related things were fixed?

I went back past the previous audit in July but there seems to be no mention of those issues being fixed in the release notes since then. Am I looking in the wrong place?

While we upgrade ASAP, I would like to know if there is a security issue so I can better gauge whether I need to get out of bed in the middle of the night or can wait until sunrise :slight_smile:

1 Like

Look at the commits and all the merged pull requests.

Those are often very generic and verbose, they don’t even mention CVEs. e.g. CVE-2020-15879 was fixed in this PR, but the commit messages were:

It’s impossible to judge the security implications from this information. It would be nice to have a reliable source that includes security impact even when no CVE was assigned.


@tgreer any suggestions?

For CVE items I can speak with engineering to see if there is a better way to tag them. Day-to-day updates and feature additions will need some thought as to how best to package/present them.