{"id":571,"date":"2007-06-14T10:09:50","date_gmt":"2007-06-14T15:09:50","guid":{"rendered":"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action"},"modified":"2007-06-14T10:09:54","modified_gmt":"2007-06-14T15:09:54","slug":"mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action","status":"publish","type":"post","link":"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action","title":{"rendered":"MySQL and Security: what do you consider a security hole that warrants immediate action?"},"content":{"rendered":"<p>I don&#8217;t claim to be a security expert, but I&#8217;d like opinions from people in the field, as well as database experts that view security highly. Here are some opinions from a discussion with <a href=\"http:\/\/karateandvoodoo.blogspot.com\/index.html\">Chad<\/a> and <a href=\"http:\/\/www.lenzg.org\/\">Lenz<\/a> a while ago. <b>What do you consider a security hole, that warrants immediate action or a release of a server within a sensible timeframe?<\/b><\/p>\n<ul>\n<li>Remotely exploiting MySQL without login credentials<\/li>\n<li>Remotely crashing MySQL without login credentials<\/li>\n<\/ul>\n<p>The above two are definite problems. What about: <\/p>\n<ul>\n<li>denial of service attacks<\/li>\n<li>data loss<\/li>\n<li>data changes<\/li>\n<li>data insertion<\/li>\n<\/ul>\n<p>Chad tells us, &#8220;security is policy enforcement.&#8221; And the policy should state: &#8220;the service should always be available to authorized people, never to unauthrized people&#8221;. <\/p>\n<p>Opinions, please. Tell me what are on the &#8220;definite list&#8221; that should be fixed within 24-hours, whats on the possibly annoying list, that should be released within 72-hours, and whats on the its an annoying bug, but its not a &#8220;high&#8221;\/&#8221;large&#8221; security violation (like, Chad finds &#8220;a function SUBSTR that always returns one too few characters&#8221; a problem in his definition) which can be fixed during the next release cycle.<\/p>\n<p>Also, if anyone has pointers to how other OSS projects or major release software deals with security. Say, like Mark Cox&#8217;s <a href=\"http:\/\/www.awe.com\/mark\/blog\/tags\/security\">security<\/a> information (he&#8217;s Mr. Security at Red Hat, and they&#8217;ve got some amazing turnaround times).<\/p>\n<p>Technorati Tags: <a class=\"performancingtags\" href=\"http:\/\/technorati.com\/tag\/mysql\" rel=\"tag\">mysql<\/a>, <a class=\"performancingtags\" href=\"http:\/\/technorati.com\/tag\/security\" rel=\"tag\">security<\/a><\/p>\n<div class=\"sharedaddy sd-sharing-enabled\"><div class=\"robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing\"><h3 class=\"sd-title\">Share this:<\/h3><div class=\"sd-content\"><ul><li class=\"share-email\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-email sd-button share-icon\" href=\"mailto:?subject=%5BShared%20Post%5D%20MySQL%20and%20Security%3A%20what%20do%20you%20consider%20a%20security%20hole%20that%20warrants%20immediate%20action%3F&body=http%3A%2F%2Fwww.bytebot.net%2Fblog%2Farchives%2F2007%2F06%2F14%2Fmysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action&share=email\" target=\"_blank\" title=\"Click to email a link to a friend\" data-email-share-error-title=\"Do you have email set up?\" data-email-share-error-text=\"If you&#039;re having problems sharing via email, you might not have email set up for your browser. You may need to create a new email yourself.\" data-email-share-nonce=\"f6c2e1b265\" data-email-share-track-url=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=email\"><span>Email<\/span><\/a><\/li><li class=\"share-facebook\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-facebook-571\" class=\"share-facebook sd-button share-icon\" href=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=facebook\" target=\"_blank\" title=\"Click to share on Facebook\" ><span>Facebook<\/span><\/a><\/li><li class=\"share-linkedin\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-linkedin-571\" class=\"share-linkedin sd-button share-icon\" href=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=linkedin\" target=\"_blank\" title=\"Click to share on LinkedIn\" ><span>LinkedIn<\/span><\/a><\/li><li class=\"share-twitter\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-twitter-571\" class=\"share-twitter sd-button share-icon\" href=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=twitter\" target=\"_blank\" title=\"Click to share on Twitter\" ><span>Twitter<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>I don&#8217;t claim to be a security expert, but I&#8217;d like opinions from people in the field, as well as database experts that view security highly. Here are some opinions from a discussion with Chad and Lenz a while ago. What do you consider a security hole, that warrants immediate action or a release of [&hellip;]<\/p>\n<div class=\"sharedaddy sd-sharing-enabled\"><div class=\"robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing\"><h3 class=\"sd-title\">Share this:<\/h3><div class=\"sd-content\"><ul><li class=\"share-email\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"\" class=\"share-email sd-button share-icon\" href=\"mailto:?subject=%5BShared%20Post%5D%20MySQL%20and%20Security%3A%20what%20do%20you%20consider%20a%20security%20hole%20that%20warrants%20immediate%20action%3F&body=http%3A%2F%2Fwww.bytebot.net%2Fblog%2Farchives%2F2007%2F06%2F14%2Fmysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action&share=email\" target=\"_blank\" title=\"Click to email a link to a friend\" data-email-share-error-title=\"Do you have email set up?\" data-email-share-error-text=\"If you&#039;re having problems sharing via email, you might not have email set up for your browser. You may need to create a new email yourself.\" data-email-share-nonce=\"f6c2e1b265\" data-email-share-track-url=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=email\"><span>Email<\/span><\/a><\/li><li class=\"share-facebook\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-facebook-571\" class=\"share-facebook sd-button share-icon\" href=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=facebook\" target=\"_blank\" title=\"Click to share on Facebook\" ><span>Facebook<\/span><\/a><\/li><li class=\"share-linkedin\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-linkedin-571\" class=\"share-linkedin sd-button share-icon\" href=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=linkedin\" target=\"_blank\" title=\"Click to share on LinkedIn\" ><span>LinkedIn<\/span><\/a><\/li><li class=\"share-twitter\"><a rel=\"nofollow noopener noreferrer\" data-shared=\"sharing-twitter-571\" class=\"share-twitter sd-button share-icon\" href=\"http:\/\/www.bytebot.net\/blog\/archives\/2007\/06\/14\/mysql-and-security-what-do-you-consider-a-security-hole-that-warrants-immediate-action?share=twitter\" target=\"_blank\" title=\"Click to share on Twitter\" ><span>Twitter<\/span><\/a><\/li><li class=\"share-end\"><\/li><\/ul><\/div><\/div><\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_options":[]},"categories":[23],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p4vJD-9d","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":2432,"url":"http:\/\/www.bytebot.net\/blog\/archives\/2012\/07\/20\/security-fixes-in-mysql-critical-patch-updates","url_meta":{"origin":571,"position":0},"title":"Security fixes in MySQL &#038; critical patch updates","date":"20\/7\/2012","format":false,"excerpt":"This is the third time MySQL has made an entry into the Oracle Critical Patch Update Advisory service. The first time, we at Team MariaDB came up with an analysis:\u00a0Oracle\u2019s 27 MySQL security fixes and MariaDB. Security is important to a DBA. Having vague explanations does no one any good.\u2026","rel":"","context":"In &quot;MariaDB&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":425,"url":"http:\/\/www.bytebot.net\/blog\/archives\/2006\/08\/22\/mysql-connectorphp-for-mysql-5024-and-php-515-released","url_meta":{"origin":571,"position":1},"title":"MySQL Connector\/PHP for MySQL 5.0.24 and PHP 5.1.5 released","date":"22\/8\/2006","format":false,"excerpt":"We interrupt this scheduled viewing, for our faithful Windows users... We have a new release of the MySQL Connector\/PHP. MySQL has released 5.0.24 for a bit, and PHP themselves have released 5.1.5. The PHP release actually fixes some security related issues. Be sure to check the forums out if you\u2026","rel":"","context":"In &quot;MySQL&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1593,"url":"http:\/\/www.bytebot.net\/blog\/archives\/2009\/10\/12\/mysql-in-rhel5centos5-gets-an-update","url_meta":{"origin":571,"position":2},"title":"MySQL in RHEL5\/CentOS5 gets an update","date":"12\/10\/2009","format":false,"excerpt":"It's worth noting that Red Hat Enterprise Linux (RHEL) 5 has had an update to MySQL in the last month. This naturally means that CentOS 5 also had a similar update. It's now bumped up to MySQL 5.0.77 (goodbye 5.0.45!; which is what RHEL5 shipped with). This is a moderate\u2026","rel":"","context":"In &quot;MySQL&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3296,"url":"http:\/\/www.bytebot.net\/blog\/archives\/2016\/12\/01\/debian-and-mariadb-server","url_meta":{"origin":571,"position":3},"title":"Debian and MariaDB Server","date":"1\/12\/2016","format":false,"excerpt":"GNU\/Linux distributions matter, and Debian is one of the most popular ones out there in terms of user base. Its an interesting time as MariaDB Server becomes more divergent compared to upstream MySQL, and people go about choosing default providers of the database. The MariaDB Server original goals were to\u2026","rel":"","context":"In &quot;Distributions&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":408,"url":"http:\/\/www.bytebot.net\/blog\/archives\/2006\/06\/05\/do-you-mysql-5-021","url_meta":{"origin":571,"position":4},"title":"Do you MySQL 5? (.0.21)","date":"5\/6\/2006","format":false,"excerpt":"Knoppix 5.0.1 available: It looks quite nice, although some of the packages are very up to date and others are quite old. MySQL comes with 5.0.21, so there's probably no distribution with a more recent MySQL version at the moment. No Markus, Ubuntu 6.06 Dapper actually comes with 5.0.21 just\u2026","rel":"","context":"In &quot;MySQL&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":785,"url":"http:\/\/www.bytebot.net\/blog\/archives\/2008\/04\/15\/howto-mysql-and-windows-vista-to-play-nice","url_meta":{"origin":571,"position":5},"title":"HOWTO: MySQL and Windows Vista to play nice","date":"15\/4\/2008","format":false,"excerpt":"I first decided to try how things were in Windows Vista land, the moment I was told during a talk of mine that MySQL refused to install on Vista. I gave it a twirl (after disabling User Account Control - UAC) and found that I got a rather quaint error\u2026","rel":"","context":"In &quot;MySQL&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/posts\/571"}],"collection":[{"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/comments?post=571"}],"version-history":[{"count":0,"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/posts\/571\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/media?parent=571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/categories?post=571"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.bytebot.net\/blog\/wp-json\/wp\/v2\/tags?post=571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}