MySQL and Security: what do you consider a security hole that warrants immediate action?

I don’t claim to be a security expert, but I’d like opinions from people in the field, as well as database experts that view security highly. Here are some opinions from a discussion with Chad and Lenz a while ago. What do you consider a security hole, that warrants immediate action or a release of a server within a sensible timeframe?

  • Remotely exploiting MySQL without login credentials
  • Remotely crashing MySQL without login credentials

The above two are definite problems. What about:

  • denial of service attacks
  • data loss
  • data changes
  • data insertion

Chad tells us, “security is policy enforcement.” And the policy should state: “the service should always be available to authorized people, never to unauthrized people”.

Opinions, please. Tell me what are on the “definite list” that should be fixed within 24-hours, whats on the possibly annoying list, that should be released within 72-hours, and whats on the its an annoying bug, but its not a “high”/”large” security violation (like, Chad finds “a function SUBSTR that always returns one too few characters” a problem in his definition) which can be fixed during the next release cycle.

Also, if anyone has pointers to how other OSS projects or major release software deals with security. Say, like Mark Cox’s security information (he’s Mr. Security at Red Hat, and they’ve got some amazing turnaround times).

Technorati Tags: ,

Related posts:

  1. Security fixes in MySQL & critical patch updates
  2. MySQL Connector/PHP for MySQL 5.0.24 and PHP 5.1.5 released
  3. MySQL on Leopard OS X 10.5 PrefPane fixed!
  4. MySQL in RHEL5/CentOS5 gets an update
  5. New MySQL 5.6 Features by Oli Sennhauser
  • kjusupov

    Well, you’ve got a process in place (your business) and security is just a portion of it. (as BS said: security is a process, not a product).
    If anything happens that can put the CIA (confidentiality, integrity, availability) under the risk – it should be taken care asap.
    And being able to read and understand the Release Notes accompanied with every new release is a good skill. It can just happen that you don’t use the particular vulnerable function, which can mean – the update can be taken care later…


i