Google Cloud MySQL note keeping up with security patches?

[Mohamed Hafez]

I see that at https://cloud.google.com/sql/docs/mysql/release-notes MySQL 5.7.25 just became available, but that version is well over a year old, and there have been several CVEs fixed between 5.7.25 and the current version 5.7.30.

How come? is it:

a) Google Cloud SQL is just behind, and thus vulnerable to all those CVEs?

b) someone on the Google Cloud SQL team evaluated all those CVEs and decided they didn't apply to Google Cloud SQL?

c) is the Google Cloud team making a fork of the real MySQL 5.7.25 and patching it up with the fixes for those CVEs, without increasing the version number, the way the Ubuntu team does sometimes for their packages?

[Elliott (Google Cloud Platform Support)]

Hello Mohamed,

Thank you for your questions and I acknowledge your concerns. 

For these forums, I can only share information available in public documents. It would be a security risk to provide clients with internal information and justification why we do not pursue a course of action when it comes to updates.

As an alternative course of action, you may place a feature request to request an update to Cloud SQL but please note that there is no guaranteed ETA.