With MySQL 5.7, our goal is to be secure by default. This means that without having to change configuration settings or perform any additional steps, your fresh installation should be safe for production use.

As part of this security initiative, MySQL 5.7 shipped with a new feature where user accounts will be disabled if the password has not been changed in a number of days.…

Earlier today advisories were sent out regarding OpenSSH versions 5.4 through 7.1., informing users about a security bug in the software. In essence, the advisory instructed people to add the  

UseRoaming no

 option to their ssh_config file, with a promise for further information to be made available shortly.

Add undocumented "UseRoaming no" to ssh_config or use "-oUseRoaming=no" to prevent upcoming #openssh client bug CVE-2016-0777. More later.

— markus (@msfriedl) January 14, 2016

The post on the security issue at OpenBSD Journal can be seen here: http://undeadly.org/cgi?action=article&sid=20160114142733 …

Transport Layer Security (TLS, also often referred to as SSL) is an important component of a secure MySQL deployment, but the complexities of properly generating the necessary key material and configuring the server dissuaded many users from completing this task.  MySQL Server 5.7 simplifies this task for both Enterprise and Community users.  Previous blog posts have detailed the changes supporting Enterprise builds; this blog post will focus on parallel improvements made to MySQL Community builds.

Introducing …

You may not be aware that the mechanism used to fingerprint the SSL certificates that  keep your access to websites encrypted and secure is changing. The old method, known as SHA1 is being deprecated – meaning it will no longer be supported. As per January 2016 various vendors will no longer support creating certificates with SHA1, and browsers show warnings when they encounter an old SHA1 certificate. Per January 2017 browsers will reject old certificates.

The new signing method, known as SHA2, has been available for some time. Users have had a choice of signing methods up until now, but there are still many sites using old certificates out there. You may want to check the security on any SSL websites you own or run!

To ensure your users’ security and privacy, force https across your entire website, not just e-commerce or other sections. You may have noticed this move on major websites over the last …

Usually when one says “SSL” or “TLS” it means not a specific protocol but a family of protocols. Wikipedia article has the details, but in short — SSL 2.0 and SSL 3.0 are deprecated and should not be used anymore (the well-known POODLE vulnerability exploits the flaw in SSL 3.0). TLS 1.0 is sixteen years […]

The post The State of SSL in MariaDB appeared first on MariaDB.org.

Knowing which privileges a given account has is easy – just issue SHOW GRANTS FOR user@host.  But what about when you need visibility into privileges from the other direction – which accounts can access specific data?  If you’re a DBA – or perform DBA duties, regardless of your title – you may have been asked this question.  It’s an important question to ask in an audit or compliance review – but it can be a difficult question to answer.    This post will walk through how to assess this, but if you’re impatient and need answers to this question immediately, jump to the end – there’s a simple shortcut.

Things to consider

There are a few things you’ll want to consider about the implementation of the MySQL privilege system as you try to sort out who has access to certain data.

Access type

MySQL can restrict privileges based on operations – somebody who has …

A WordCamp US this year, I spoke about the Trojan Emoji security bug, which we fixed in WordPress 4.1.2.

In particular, I went through how we came to wrap our head around the bug, and then write a solution that worked for every WordPress site.

There was some discussion a while back to maybe make MariaDB Server follow the Ubuntu release model, i.e. having a Long Term Release (LTS) and then having a few regular fast releases with a shorter support cycle.

However its good to note that the decision now going forward is to support each and every GA release for a period of five (5) years. However, regular releases will only happen for the latest three (3) GA releases, so at this moment, you are getting updates for MariaDB Server 5.5/10.0/10.1.

Practically, we’ve not seen an update for 5.1/5.2/5.3 since 30 Jan 2013 at the time of this writing. And its clear MariaDB Server 5.5 will have an extended support policy, as it ships in Red Hat Enterprise Linux 7. 

At this time it’s worth …

MySQL Connector/Java 5.1.38 was released earlier this week, and it includes a notable improvement related to secure connections.  Here’s how the change log describes it:

When connecting to a MySQL server 5.7 instance that supports TLS, Connector/J now prefers a TLS over a plain TCP connection.

This mirrors changes made in 5.7 to the behavior of MySQL command-line clients and libmysql client library.  Coupled with the streamlined/automatic generation of TLS key material to ensure TLS availability in MySQL Server 5.7 deployments, this is an important step towards providing secure communication in default deployments.

…

Secure communications is a core component of a robust security policy, and MySQL Server 5.7.10 – the first maintenance release of MySQL Server 5.7 – introduces needed improvements in this area.  Support for TLS has been expanded from TLSv1.0 to include TLSv1.1 and TLSv1.2, default ciphers have been updated, and controls have been implemented allowing both server and client-side configuration of acceptable TLS protocol versions.  This blog post will describe the changes, the context in which these changes were made, note important differences in capabilities between Community and Enterprise versions, and outline future plans.

Context

SSL (Secure Sockets Layer)  was superseded by TLS ( …