A year ago, I blogged about An Unprivileged User can crash your MySQL Server. At the time, I explained how to protect yourself against this problem. A few weeks ago, I revisited this vulnerability in a follow-up post in which I explained the fix, claimed that the MySQL 5.7 default configuration for Group Replication is still problematic, and explained a tuning to avoid the vulnerability. In
A year ago, I blogged about An Unprivileged User can Crash your MySQL Server. At the time, I presented how to protect yourself against this problem without explaining how to generate a crash. In this post, I am revisiting this vulnerability, not giving the exploit yet, but presenting the fix. Also, because the default configuration of Group Replication in 5.7 is still vulnerable (it is not in
Update: I included the results for when PCID is disabled, for comparison, as a worse case scenario.
After learning about Meltdown and Spectre, I waited patiently to get a fix from my OS vendor. However, there were several reports of performance impact due to the kernel mitigation- for example on the PostgresQL developers mailing list there was reports of up to 23% throughput loss; Red Hat engineers report a regression range of 1-20%, but setting OLTP systems as the worse type of workload. As it will be highly dependent on the hardware and workload, I decided of doing some test myself for the …[Read more]
A few days ago Sergei Golubchik of Monty Program sent an e-mail to the Open Source Security mailing list informing about a security vulnerability in MySQL authentication system. Under certain circumstances a remote attacker may easily gain access to MySQL database as any user and all they need to know is a valid user name (e.g. root user exists in nearly all installations). The problem has only been addressed in the most recent database versions.
The full details are covered in Sergei’s post linked above. Not all MySQL releases are affected as the cause appears to be related to the build environment and the options used in the binary build process. For instance binaries distributed by Oracle appear to be safe as well as those available from RedHat’s repository.
We encourage you to test this against your database …[Read more]
Recently I had some trouble with the server where all of my websites are hosted. Business site, various blogs, there is lots of stuff on there, not to mention backups of work, email, and all sorts of things I do not really want to lose.
I first noticed the trouble when I couldn’t login through the command line. Strangely the websites were still running. I called the hosting company, and after talking with them for a while, managed to login as root. That was working. But it was acting quite odd. There were some errors in the /var/log/messages about ssh not being able to set uid 10003, the uid of my login, shull. I pondered. I thought. I sat circumspect.
I investigated for a while, and called up 1 & 1 again. I have a root server, but they’re not really supposed to support maintaining the machine itself. Then I got to thinking, I could spend hours diagnosing …[Read more]