Planet MySQL

Displaying posts with tag: mysql security bug (reset)

Aug

2015

Posted by Chris Calender on Fri 07 Aug 2015 19:55 UTC
Tags:

mariadb, MySQL 5.5, MySQL, mysql downloads, mysql security bug, mysql changelogs, innodb bug, mysql 5.5.45, mysql ssl dhe cipher

MySQL 5.5.45 was recently released (it is the latest MySQL 5.5, is GA), and is available for download here:

http://dev.mysql.com/downloads/mysql/5.5.html

This release, similar to the last 5.5 release, is mostly uneventful.

There were 0 “Functionality Added or Changed” items this time, 1 “Security Fix”, and just 9 bugs overall fixed.

Out of the 9 bugs, there were 3 InnoDB bugs, 1 security-related bug, and 1 potential crashing bug. Here are the ones worth noting:

InnoDB: An index record was not found on rollback due to inconsistencies in the purge_node_t structure.
InnoDB: An assertion was raised when InnoDB attempted to dereference a NULL foreign key object.
InnoDB: On Unix-like platforms, os_file_create_simple_no_error_handling_func and …

[Read more]

Mar

2015

MySQL 5.6.23 Overview and Highlights

Posted by Chris Calender on Fri 06 Mar 2015 01:20 UTC
Tags:

openssl, show slave status, mariadb, yaSSL, MySQL, MySQL 5.6, mysql security bug, mysql download, SYS_INDEXES, Seconds_Behind_Master, download mysql 5.6, mysql 5.6 download, mysql upgrade recommendations, mysql changelog, innodb bug, dictionary cache, dict_set_corrupted, fts_optimize_thread, InnoDB crashing bug, InnoDB regression bug, InnoDB stall halt bug, rb-tree, multiple-table delete, ALTER TABLE ... TRUNCATE PARTITION, full-text search indexes, innodb_fast_shutdown, innodb_fast_shutdown=0, mysql 5.6.23, TRUNCATE PARTITION

MySQL 5.6.23 was recently released (it is the latest MySQL 5.6, is GA), and is available for download here.

For this release, there is 1 “Security Note”, 3 “Functionality Changed”, and 5 “Compilation Notes”, all benign, but let me address them:

Security Note: The linked OpenSSL library for the MySQL Commercial Server has been updated from version 1.0.1j to version 1.0.1k. Issues fixed in the new version are described at http://www.openssl.org/news/vulnerabilities.html.
Functionality Changed: Support for the SSL 2.0 and SSL 3.0 protocols has been disabled because they provide weak encryption. (Bug #19820550, Bug #19921150)
Functionality Changed: yaSSL was upgraded to version …

[Read more]

Jan

2015

MySQL 5.6.22 Overview and Highlights

Posted by Chris Calender on Wed 14 Jan 2015 01:35 UTC
Tags:

mariadb, MySQL, MySQL 5.6, mysql security bug, mysql download, SYS_INDEXES, download mysql 5.6, mysql 5.6 download, mysql upgrade recommendations, mysql changelog, innodb bug, dictionary cache, dict_set_corrupted, fts_optimize_thread, InnoDB crashing bug, InnoDB regression bug, InnoDB stall halt bug, mysql 5.6.22, rb-tree

MySQL 5.6.22 was recently released (it is the latest MySQL 5.6, is GA), and is available for download here.

For this release, there is 1 “Security Note”, 2 “Functionality Changed”, and 5 “Compilation Notes”, all benign, but let me address them:

Security Note: The linked OpenSSL library for the MySQL Commercial Server has been updated from version 1.0.1h to version 1.0.1j. Issues fixed in the new version are described at http://www.openssl.org/news/vulnerabilities.html.
Functionality Changed: Replication: The variable binlogging_impossible_mode has been renamed binlog_error_action. binlogging_impossible_mode is now deprecated. (Bug #19507567)
Functionality Changed: …

[Read more]

Oct

2011

MySQL SSL Users: BEWARE This Bug

Posted by Chris Calender on Tue 18 Oct 2011 19:55 UTC
Tags:

bug, SSL, skysql, cipher, MySQL, ca-cert.pem, Cipher in use, client-cert.pem, client-key.pem, mysql security bug, MySQL SSL, mysql ssl on windows, REQUIRE SSL, security bug, server-cert.pem, server-key.pem, ssl-ca, ssl-cert, ssl-key

If you’re using MySQL and SSL, you might want to glance over this article and give your setup a quick test.

I’ve uncovered an alarming bug in 5.5 where one could gain access to your MySQL instance just knowing the username and password (not having any SSL certificate, key, etc.)!

Of course, I’ve filed a bug about it here:

http://bugs.mysql.com/bug.php?id=62743

It’s been over 4 days now, and not one comment from the MySQL Bug/Dev Team.

So once again, I feel the need to share this bug with the public, in case you are using SSL with 5.5, and think your connections are secure, or that only users with the certs/key could gain access.

For SSL Users, you’ll already have this set up, but for those who don’t, I’ve simply got mysqld (5.5.15 and 5.5.16 thus far) running with the following options:

ssl-ca      = …

[Read more]

Top Authors

Oracle MySQL Blogs

Vendor Blogs

MySQL Links