[CentOS-announce] CEEA-2016:0517 CentOS 5 tzdata Enhancement Update

2016-03-24 Thread Johnny Hughes 

CentOS Errata and Enhancement Advisory 2016:0517 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2016-0517.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
907d8ba5f5fc5dc90b2a0f6e45fffe88baa8ddb64ba8c827933f6d3e7889a0af  
tzdata-2016c-1.el5.i386.rpm
c2d5c77bd3d7c0f4e91154788dc421d8eb9dfd56f3e63a3e694bbafaaad6a556  
tzdata-java-2016c-1.el5.i386.rpm

x86_64:
771e0c5c024f8420c3a820b83b2ce4f7a156b1e93e860533af12572bce8d4a04  
tzdata-2016c-1.el5.x86_64.rpm
faeb5dfe3c89f273889af2a007331c8a8b02d7561bd2362e2a8753e2f3f901c1  
tzdata-java-2016c-1.el5.x86_64.rpm

Source:
85d9fc61a8a60a8c4d19d3fae19f651c4f149ebea58cb742800492f699d0a62f  
tzdata-2016c-1.el5.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEEA-2016:0517 CentOS 6 tzdata Enhancement Update

2016-03-24 Thread Johnny Hughes 

CentOS Errata and Enhancement Advisory 2016:0517 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2016-0517.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
06d77cccd4ca9fdede69e03cb03ea066f4fe65f279a083356705e429adbda7c5  
tzdata-2016c-1.el6.noarch.rpm
a4e1c676af9c38e3cb92474d4b514070c1bf124148c86968d9c68678da2d13ae  
tzdata-java-2016c-1.el6.noarch.rpm

x86_64:
06d77cccd4ca9fdede69e03cb03ea066f4fe65f279a083356705e429adbda7c5  
tzdata-2016c-1.el6.noarch.rpm
a4e1c676af9c38e3cb92474d4b514070c1bf124148c86968d9c68678da2d13ae  
tzdata-java-2016c-1.el6.noarch.rpm

Source:
79ca2aac587840574b85e7d2350b445ac79a8c3cecab20bf832e6a0faddefb53  
tzdata-2016c-1.el6.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2016:0511 Critical CentOS 6 java-1.7.0-openjdk Security Update

2016-03-24 Thread Johnny Hughes 

CentOS Errata and Security Advisory 2016:0511 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0511.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
38333cb659ef9d1e0d0d41a09851d0e03fda4e29f7787bf29653315cbed44a4c  
java-1.7.0-openjdk-1.7.0.99-2.6.5.0.el6_7.i686.rpm
3deb5f2c69378200d957357cb1f6335abecfadd21917e3aa0c22be7a828515b3  
java-1.7.0-openjdk-demo-1.7.0.99-2.6.5.0.el6_7.i686.rpm
96afea94846a5faefb2b7a0dbb28304e4b7b9843825539cd90567d9bb3504025  
java-1.7.0-openjdk-devel-1.7.0.99-2.6.5.0.el6_7.i686.rpm
3844d999b13a0ed9d2f8f32cbffe7a923d4f900b5c831494bc8c7f1c4b1b4aca  
java-1.7.0-openjdk-javadoc-1.7.0.99-2.6.5.0.el6_7.noarch.rpm
8d10d03343574b0e49458ad028c62a19bc7ae8ab62ee00e2390b3c5004f249ea  
java-1.7.0-openjdk-src-1.7.0.99-2.6.5.0.el6_7.i686.rpm

x86_64:
e752132a8a7e1cf1c5e6bcfc214d55e2c5aa636fbbc8c6bfa3f82118ae971dd2  
java-1.7.0-openjdk-1.7.0.99-2.6.5.0.el6_7.x86_64.rpm
9d533fd2c29bff1c92d35e38d7813de1d1b9841fb8f901d7e608a8d48b1d8424  
java-1.7.0-openjdk-demo-1.7.0.99-2.6.5.0.el6_7.x86_64.rpm
72abbf120e677c6e0888f13995c395be31283b8a3f707a1bd252c6d7f22bafc0  
java-1.7.0-openjdk-devel-1.7.0.99-2.6.5.0.el6_7.x86_64.rpm
3844d999b13a0ed9d2f8f32cbffe7a923d4f900b5c831494bc8c7f1c4b1b4aca  
java-1.7.0-openjdk-javadoc-1.7.0.99-2.6.5.0.el6_7.noarch.rpm
673fe3d9d70eea9a6a962a6893f2ab9f29e0db335164c50b76e98866ddadadb8  
java-1.7.0-openjdk-src-1.7.0.99-2.6.5.0.el6_7.x86_64.rpm

Source:
7aa29619b44021a5c418f2886513d0a4789bcf1c5737a08d38141464a16b6107  
java-1.7.0-openjdk-1.7.0.99-2.6.5.0.el6_7.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS

___
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS] Compatible 5GHz wifi usb dongles?

2016-03-24 Thread Nux! 
Hi,

Can anyone recommend a 5GHz usb wifi dongle that works out of the box with 
CentOS?

Tried various Mediatek (0e8d:7610) %(*^ off amazon/ebay, without any luck, so 
please don't suggest that.

Thanks!

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 18:15 -0500, g wrote:
> 
> On 03/24/16 12:58, Always Learning wrote:

> >>   //set user agent to blank
> >>   user_pref("general.useragent.override", " ");
> >
> > This can also be set, in Firefox, using about:config
> > Right-click new string,  etc.

> such is not in about:config with 38.7.0.

You have to create the parameter in about:config

1. position over main panel full of different parameters.
2. right click
3. select 'new' and 'string'
4. enter 'general.useragent.override' then click 'ok'
5. enter your chosen arguments then click 'ok'
6. no browser restart is necessary.

To delete it, right click on it, select 'reset', restart browser and its
gone.




-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread Fred Smith 
On Thu, Mar 24, 2016 at 06:39:37PM -0400, Matthew Miller wrote:

Thanks for the info, Matthew!

Fred
> On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote:
> > I'n wondering if it is possible to have Centos-7 automatically change
> > firewall zones, depending on the network we conect to.
> 
> The way to do this is changing the zone for the network in
> NetworkManager. (This works easily for wifi networks and is kind of a
> pain for wired ones, unfortunately, since there's not necessarily a
> good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I
> don't remember offhand when this hit, but in Fedora, run the
> NetworkManager config panel, hit config on a network, and change the
> zone on the Security tab.
> 
> Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for
> the network.
> 
> I'm hoping in the future to make this better, but there are actually a
> lot of different parts involved so it's hard to get everyone to agree
> on the best approach.
> 
> I personally make "public" my default zone, and then add zones that
> should be more trusted to networks that should be more open.
> 
> -- 
> Matthew Miller
> 
> Fedora Project Leader
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
"Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of
 heaven, but only he who does the will of my Father who is in heaven."
-- Matthew 7:21 (niv) -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread Fred Smith 
On Thu, Mar 24, 2016 at 09:18:16PM +, James Hogarth wrote:

Thanks, James, that looks pretty good. I'll look into it and probably
give it a try.

Fred
> On 24 March 2016 at 18:01, Fred Smith  wrote:
> 
> > Hi all!
> >
> > I'n wondering if it is possible to have Centos-7 automatically change
> > firewall zones, depending on the network we conect to.
> >
> > my default zone is "home" and it has some ports open that probably
> > shouldn't be open when I'm on someone elose's network.
> >
> > so I'm thinking that if there's a way to have it always use home when
> > I'm at home, and external when I'm not, it would be great.
> >
> > I see that firewall-cmd has a ton of options, but not sure which one(s)
> > I'd need for switching. (I see one for setting default zone, but I didn't
> > see one for setting current zone--maybe I'm blind).
> >
> > I'm also not at all sure how to invoke it at a proper time,... perhaps
> > some udev rules?
> >
> >
> > anyone got any wisdom they can drop on me?
> >
> >
> The default zones are poorly named and should never have been included -
> especially given most of them aren't in use on any given system.
> 
> For a look into how to make use of firewalld take a look at this:
> 
> https://www.hogarthuk.com/?q=node/9
> 
>  The best way to handle the scenario you describe would be multiple NM
> connection profiles (don't have it set to auto) so that you can set
> connection.zone correctly on each for the right network profile.
> 
> Then when you nmcli c up work (or home or whatever) to bring up that
> connection profile it'll come up in the right zone.
> 
> This manual nmcli c up is only needed if these are ethernet profiles as
> there's no link between subnet and connection profile
> 
> If these are WiFi connections NM already has different connection profiles
> and picks one to match the SSID - so you could set the right
> connection.zone in that.
> 
> The NM article goes into some details on connection profiles
> 
> https://www.hogarthuk.com/?q=node/8
> 
> Alternatively if you know the subnets that will be connecting to you at
> work and home you could set your default profile to reject and create zones
> with appropriate incoming rules bound to the source subnets contacting your
> system.
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
 God made him who had no sin
  to be sin for us, so that in him
 we might become the righteousness of God."
--- Corinthians 5:21 -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread g 


On 03/24/16 12:58, Always Learning wrote:
> On Thu, 2016-03-24 at 10:56 -0500, g wrote:
> 
>>> See the EFF testing site for more details:
>>>
>>>
>
>> aware of panopticlick.
>
> It states (calculator needed)
>
> 11.6% of browsers have time zone 0 (GMT)
> 10.0% of browsers have "Linux x86_64" (note this excludes Android) 
>  4.0% of browsers have "en-GB"
>
>> if you have a file in profile directory, add this to it. if not,
>> create file and paste this in it.
>>
>>   //set user agent to blank
>>   user_pref("general.useragent.override", " ");
>
> This can also be set, in Firefox, using about:config
> Right-click new string,  etc.
>
>> what makes you get a unique rating is that you report no agent. only
>> info any site will know about you is your ip address.
>
> Not exactly correct. See his site's
>  "Show full results for fingerprinting"
>
--

such is not in about:config with 38.7.0.


-- 
peace out.

If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.

CentOS GNU/Linux 6.7

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread Matthew Miller 
On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote:
> I'n wondering if it is possible to have Centos-7 automatically change
> firewall zones, depending on the network we conect to.

The way to do this is changing the zone for the network in
NetworkManager. (This works easily for wifi networks and is kind of a
pain for wired ones, unfortunately, since there's not necessarily a
good way to distinguish.) I don't have a CentOS (or RHEL) desktop and I
don't remember offhand when this hit, but in Fedora, run the
NetworkManager config panel, hit config on a network, and change the
zone on the Security tab.

Or, put "ZONE=public" or "ZONE=work" or whatever in the ifcfg file for
the network.

I'm hoping in the future to make this better, but there are actually a
lot of different parts involved so it's hard to get everyone to agree
on the best approach.

I personally make "public" my default zone, and then add zones that
should be more trusted to networks that should be more open.

-- 
Matthew Miller

Fedora Project Leader
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] firewalld question

2016-03-24 Thread James Hogarth 
On 24 March 2016 at 18:01, Fred Smith  wrote:

> Hi all!
>
> I'n wondering if it is possible to have Centos-7 automatically change
> firewall zones, depending on the network we conect to.
>
> my default zone is "home" and it has some ports open that probably
> shouldn't be open when I'm on someone elose's network.
>
> so I'm thinking that if there's a way to have it always use home when
> I'm at home, and external when I'm not, it would be great.
>
> I see that firewall-cmd has a ton of options, but not sure which one(s)
> I'd need for switching. (I see one for setting default zone, but I didn't
> see one for setting current zone--maybe I'm blind).
>
> I'm also not at all sure how to invoke it at a proper time,... perhaps
> some udev rules?
>
>
> anyone got any wisdom they can drop on me?
>
>
The default zones are poorly named and should never have been included -
especially given most of them aren't in use on any given system.

For a look into how to make use of firewalld take a look at this:

https://www.hogarthuk.com/?q=node/9

 The best way to handle the scenario you describe would be multiple NM
connection profiles (don't have it set to auto) so that you can set
connection.zone correctly on each for the right network profile.

Then when you nmcli c up work (or home or whatever) to bring up that
connection profile it'll come up in the right zone.

This manual nmcli c up is only needed if these are ethernet profiles as
there's no link between subnet and connection profile

If these are WiFi connections NM already has different connection profiles
and picks one to match the SSID - so you could set the right
connection.zone in that.

The NM article goes into some details on connection profiles

https://www.hogarthuk.com/?q=node/8

Alternatively if you know the subnets that will be connecting to you at
work and home you could set your default profile to reject and create zones
with appropriate incoming rules bound to the source subnets contacting your
system.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread Leon Fauster 
Am 24.03.2016 um 16:56 schrieb g :
> On 03/24/16 09:29, Richard wrote:
>>> Date: Thursday, March 24, 2016 14:10:41 +
>>> From: Always Learning 
>>> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:
>>> 
>>> 
>>> Spread the successful Centos 'brand name' :-)
>> 
>> The user-agent string is one of the items used in uniquely
>> identifying/fingerprinting a user/machine, so the more generic it is
>> the better. Including the details of the OS add to the "bits of
>> identifying information" available to trackers.
>> 
>> See the EFF testing site for more details:
>> 
>>   
>> 
> --
> 
> aware of panopticlick.
> 
> if you have a file in profile directory, add this to it. if not,
> create file and paste this in it.
> 
>  //set user agent to blank
>  user_pref("general.useragent.override", " ");
> 


this makes you more identifiable ...

--
LF



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-virt] KVM networking issue

2016-03-24 Thread Kevin Ross 
Thanks, Mike. When running tcpdump on the VM I'm not seeing traffic
unless it's explicitly intended for that particular VM, so no traffic
between the other VMs is getting forwarded from the virtual interface
to the "network appliance" VM.

There is connectivity between the VMs on the private network and the
"network appliance" VM which is acting as a gateway.

Here's the output of the brctl command:

virbr1
 bridge id  8000.5254007e2f5b
 designated root8000.5254007e2f5b
 root port 0path cost  0
 max age  19.99 bridge max age19.99
 hello time1.99 bridge hello time  1.99
 forward delay 0.00 bridge forward delay   0.00
 ageing time 299.95
 hello timer   0.29 tcn timer  0.00
 topology change timer 0.00 gc timer   0.29
 hash elasticity   4hash max 512
 mc last member count  2mc init query count2
 mc router 1mc snooping1
 mc last member timer  0.99 mc membership timer  259.96
 mc querier timer254.96 mc query interval124.98
 mc response interval  9.99 mc init query interval31.24
 flags


virbr1-nic (0)
 port idstate  disabled
 designated root8000.5254007e2f5b   path cost100
 designated bridge  8000.5254007e2f5b   message age timer  0.00
 designated port8001forward delay timer0.00
 designated cost   0hold timer 0.00
 mc router 1
 flags

I'm not sure why virbr1-nic is showing up as disabled, and also why
the vnet# interfaces don't show up (they do show up on another host,
although VMs on that host are having the same non-promiscuous issue as
these VMs). I've tried this with and without NAT, as well as with STP
on/off with no effect.

Thanks,

Kevin
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Александр Кириллов 
Indeed. There are several flaws in how mysql handles data. This is why 
to
the best of my ability I am trying to avoid mysql, and use postgresql 
if

whatever chunk of software I need is designed to work also with
postgresql. And I recommend developers I work with/for the same (to use
postgresql). These are good examples:

https://www.youtube.com/watch?v=1PoFIohBSM4


http://dev.mysql.com/doc/refman/5.1/en/sql-mode.html#sql-mode-strict

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread m . roth 
John,

John R Pierce wrote:
> On 3/24/2016 7:48 AM, m.r...@5-cent.us wrote:
>> We seem to be moving to postgresql. I find I do not like it - it's much
>> more of a pain to work with than mysql is. Do you have any opinions
>> about meria d/b? Are there improvements over the flaws you're aware
>> of with mysql?
>
> and I find mysql a real pain to work with.
>
> the biggest difference is, postgresql is much stricter about data
> types.   it will not, for example, allow you to store 2015-02-30 as a
> date.   also, postgres is very strict about the atomicity of
> transactions, its all or nothing.

And I have serious issues trying to figure out the structure of, say, the
barios d/b. But I did NOT ask for a comparison to postgresql, or care to
have any kind of argument about it at all. I was asking about mariadb vs.
mysql.

Oh, and the link I posted, to MySQL gotchas, that was last updated in '14?
I tried emailing them, at the link they gave, and my email bounced.

mark
   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread John R Pierce 

On 3/24/2016 7:48 AM, m.r...@5-cent.us wrote:

We seem to be moving to postgresql. I find I do not like it - it's much
more of a pain to work with than mysql is. Do you have any opinions about
meria d/b? Are there improvements over the flaws you're aware of with
mysql?


and I find mysql a real pain to work with.

the biggest difference is, postgresql is much stricter about data 
types.   it will not, for example, allow you to store 2015-02-30 as a 
date.   also, postgres is very strict about the atomicity of 
transactions, its all or nothing.




--
john r pierce, recycling bits in santa cruz

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] firewalld question

2016-03-24 Thread Fred Smith 
Hi all!

I'n wondering if it is possible to have Centos-7 automatically change
firewall zones, depending on the network we conect to.

my default zone is "home" and it has some ports open that probably
shouldn't be open when I'm on someone elose's network.

so I'm thinking that if there's a way to have it always use home when
I'm at home, and external when I'm not, it would be great.

I see that firewall-cmd has a ton of options, but not sure which one(s)
I'd need for switching. (I see one for setting default zone, but I didn't
see one for setting current zone--maybe I'm blind).

I'm also not at all sure how to invoke it at a proper time,... perhaps
some udev rules?


anyone got any wisdom they can drop on me?

thanks!

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
 God made him who had no sin
  to be sin for us, so that in him
 we might become the righteousness of God."
--- Corinthians 5:21 -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 10:56 -0500, g wrote:

> > See the EFF testing site for more details:
> >
> >


> aware of panopticlick.

It states (calculator needed)

11.6% of browsers have time zone 0 (GMT)
10.0% of browsers have "Linux x86_64" (note this excludes Android) 
 4.0% of browsers have "en-GB"

> if you have a file in profile directory, add this to it. if not,
> create file and paste this in it.
> 
>   //set user agent to blank
>   user_pref("general.useragent.override", " ");

This can also be set, in Firefox, using about:config
Right-click new string,  etc.

> what makes you get a unique rating is that you report no agent. only
> info any site will know about you is your ip address.

Not exactly correct. See his site's
 "Show full results for fingerprinting"


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Gordon Messmer 

On 03/24/2016 10:13 AM, Always Learning wrote:

I have never (not once) used non-prepared SQL statements, nor string
concatenation, nor sprintf.


Perfect!


mysql_real_escape_string() is useful for storing in tables words with
apostrophes.


You shouldn't need to escape anything if you're using prepared statements.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread m . roth 
Valeri Galtsev wrote:
>
> On Thu, March 24, 2016 10:32 am, Alice Wonder wrote:
>> On 03/24/2016 08:28 AM, m.r...@5-cent.us wrote:

> Ok, do you have a link or two to info about that?

 Mark, you seemed to snip away the link to presentation on youtube :

 https://www.youtube.com/watch?v=1PoFIohBSM4

Ok, now I *really* dislike videos. Since I'm not at home, and not putting
the video on a 42" TV, I *CANNOT* read most of what they're typing, and
the system responses not at all.

However, if, just before the video goes from the lead page announcing
"postgresql" to the video of them typing, for about a 3 sec pause, you
freeze the video, it says "this is from


Great, so here's the text. And I start reading
Excerpt:
he MySQL database server is being continually improved. Some gotchas
described here are no longer relevant for the latest versions; in these
cases the version numbers affected are noted at the top of each section.
As a rule gotchas have been tested against the most recent stable versions
from the 3.23.x, 4.0.x and 4.1.x series.
--- end excerpt ---

It says, at the bottom, that it was last updated in 2014.

When did mysql 5.0 come out - five years ago? more? Oh, sorry, I google
mysql 5.0 release, and I find release notes for 5.0.24... from TEN YEARS
AGO.

I don't really feel like testing out some of the site's gotcha in the
mysql we have running here... but everything here is from the std. base
repo, and for CentOS 6, is 5.1.73-5.

 mark

So, I don't have a lot of confidence in the gotchas, until I test it, or
find someone who's tested them in the last 10 years against the main
branch.

 mark


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 09:40 -0700, Gordon Messmer wrote:

> Just to be clear: you absolutely should upgrade to a currently
> maintained version of MySQL.

Agreed. Its going to be rainy in England this Easter weekend, so am
contemplating upgrading the last production C5 to C6.

> However, upgrading will not protect you from SQL injection attacks.
> The probes you're seeing aren't targeting the SQL server.  They're
> targeting your php code.

Have already upgraded my PHP routine which blocks IP addresses when GET
data exceeds its acceptable field size.


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:

> On 03/24/2016 07:57 AM, Always Learning wrote:
> > I should have imposed strict controls on the length of
> > parameters passed to programmes via web pages $_GET[] such as...
> > and reject any incoming string containing ' or " in addition to PHP's
> > strip_tags and (deprecated in later versions)
> > mysql_real_escape_string($_GET[''],$link);
> 
> No.  No.  No.
> 
> You're missing the point that everyone is trying to communicate to you.  
> Do not use string concatenation.  Do not use sprintf.  Do not use 
> mysql_real_escape_string().

I have never (not once) used non-prepared SQL statements, nor string
concatenation, nor sprintf.

mysql_real_escape_string() is useful for storing in tables words with
apostrophes.


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Gordon Messmer 
On Thu, Mar 24, 2016 at 9:08 AM, Always Learning  wrote:
>> I can't stress enough, mysql-5.0 on el5 is absolutely not updated
>> security wise.
>
> Thanks. Reading it now.

Just to be clear: you absolutely should upgrade to a currently
maintained version of MySQL.

However, upgrading will not protect you from SQL injection attacks.
The probes you're seeing aren't targeting the SQL server.  They're
targeting your php code.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS-virt] KVM networking issue

2016-03-24 Thread Mike - st257 
On Tue, Mar 22, 2016 at 1:57 PM, Kevin Ross  wrote:

> Hi Mike,
>
> Thanks for the info. I'd rather run monitoring such as tcpdump from
> the VM if possible and not the host as a simulation of a network
>

Then run tcpdump on the VM. Same command or commands you'd have ran on the
host node.


> appliance and with the intent eventually of giving others access to
> the VM and not the host. Here is the xml file for the private network:
>
> 
>
> 
>   virbr1
>   
>   
>   
>   
>   
>   
> 
>
> There are two VMs connected to this interface, and the monitoring or
> "appliance" VM is connected to both this and the external interface.


I take it you've tried testing basic connectivity from the VMs to whatever
default gateway is in place?

I see Spanning Tree is enabled, so you might check that an interface isn't
in the blocking state.
brctl showstp  | egrep '^(em|eth|vnet)|state'

I don't use the NAT network mode for KVM, so hopefully someone else can
chime in on that piece.

-- 
---~~.~~---
Mike
//  SilverTip257  //
___
CentOS-virt mailing list
CentOS-virt@centos.org
https://lists.centos.org/mailman/listinfo/centos-virt

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread g 

now i goofed. :-\

On 03/24/16 11:13, g wrote:

<<<>>>

> aware of panopticlick.
>
> if you have a file in profile directory,
>
--

above should read;

  if you have file "user.js" in profile directory,

> add this to it. if not,
> create file and paste this in it.
>
>   //set user agent to blank
>   user_pref("general.useragent.override", " ");
>
> what makes you get a unique rating is that you report no agent. only
> info any site will know about you is your ip address.
>
> if you want to hide that, use a proxy server. ((GBWG))
>


-- 
peace out.

If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.

CentOS GNU/Linux 6.7

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Gordon Messmer 

On 03/24/2016 07:57 AM, Always Learning wrote:

I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as...
and reject any incoming string containing ' or " in addition to PHP's
strip_tags and (deprecated in later versions)
mysql_real_escape_string($_GET[''],$link);


No.  No.  No.

You're missing the point that everyone is trying to communicate to you.  
Do not use string concatenation.  Do not use sprintf.  Do not use 
mysql_real_escape_string().


Use prepared statements.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread g 

resend. yuckahoo bounced another post.

On 03/24/16 09:29, Richard wrote:
>> Date: Thursday, March 24, 2016 14:10:41 +
>> From: Always Learning 
>> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:
>>
>>> What purpose does it serve? I don't object to it being there
>>>  but I also don't see a benefit to it being there.
>>>
>>> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS 
>>> developers to emulate...
>>
>> Spread the successful Centos 'brand name' :-)
>
> The user-agent string is one of the items used in uniquely
> identifying/fingerprinting a user/machine, so the more generic it is
> the better. Including the details of the OS add to the "bits of
> identifying information" available to trackers.
>
> See the EFF testing site for more details:
>
>
>
--

aware of panopticlick.

if you have a file in profile directory, add this to it. if not,
create file and paste this in it.

  //set user agent to blank
  user_pref("general.useragent.override", " ");

what makes you get a unique rating is that you report no agent. only
info any site will know about you is your ip address.

if you want to hide that, use a proxy server. ((GBWG))


-- 
peace out.

If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.

CentOS GNU/Linux 6.7

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Valeri Galtsev 

On Thu, March 24, 2016 10:28 am, m.r...@5-cent.us wrote:
> Valeri Galtsev wrote:
>>
>> On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote:
>>> Valeri Galtsev wrote:
 On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
>>> >
 Indeed. There are several flaws in how mysql handles data. This is why
>>>
>>> Ok, do you have a link or two to info about that?
>>
>> Mark, you seemed to snip away the link to presentation on youtube :
>>
>> https://www.youtube.com/watch?v=1PoFIohBSM4
>>
> Oh. I really dislike videos of people explaining something I could read,
> if they'd just typed it up (I mean the author, not you). But I suppose
> I'll watch it.
> 
>>> We seem to be moving to postgresql.
>>
>> Great!
>>
>>> I find I do not like it - it's much
>>> more of a pain to work with than mysql is. Do you have any opinions
>>> about meria d/b? Are there improvements over the flaws you're aware
>>> of with mysql?
>>
>> Mariadb being a fork of mysql likely inherited mysql's
>> "inconsistencies".
>> Not that I would say mysql (and mariadb surely) folks are not working on
>> improvements. E.g., the default installation of latest mysql does not
>> have
>> any accounts with empty password (I was weeding these away for years
>> with
>> every new installation of mysql. Oh, well, maybe I'm wrong, as this I
>> just
>> had seen fixed on FreeBSD, so it is possible that package maintainer did
>> this nice cleaning). I'm not the one who can have any opinion on
>> something
>>  (mariadb) which he doesn't use, still...
>
> Well, remember that it was forked after the Evil Empire took over mysql. I
> just wonder if Oracle is *not* fixing some security issues... because they
> obviously want you to "fix" that problem by simply buying Oracle. With
> that train of thought, that's why I'm wondering if the mariad/b team *is*
> fixing the issues.

I was going to add the following, and I didn't. This actually is not about
mysql or mariadb vs postgresql, but more about one's general approach to
what you will choose. Way back when there were continuing security issues
with sendmail (which were being promptly fixed, still...) I was looking
for what I could use as mail server software. And I chose postfix, as it
was architectured from the very beginning with security in mind. There
probably will be no often need of fixing issues, as from the very
beginning the code was created so to have as minimal number of potential
issues as possible. I don't invite into jumping in discussion about
variety of particular MTA etc. I was just trying to say in general:
something better written from the very beginning vs something that needs
many fixes. The last, BTW, will more likely make you suffering down the
road because of the change of internals with upgrade to next version etc.

I hope I managed to convey the thought...

Valeri


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 10:48 -0500, Johnny Hughes wrote:


> I guarantee that the 5.0.95 packages have security issues. Here is how
> to move to the newer mysql55 packages:
> 
> http://red.ht/1pAcb7q
> 
> I can't stress enough, mysql-5.0 on el5 is absolutely not updated
> security wise.  The last update to it happened on 22-Jan-2013 and was in
> CentOS-5.9 .. we are now in 5.11 and there have been upgrades to mysql55
> since then to fix security issues.
> 
> Here is more info on this MySQL 5.0 to 5.5 upgrade, that was required
> starting in CentOS 5.10.
> 
> http://red.ht/1o8VkHN
> 
> http://red.ht/1UK30hR
> 
> http://red.ht/1q48NT5

Thanks. Reading it now.



-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread g 


On 03/24/16 09:29, Richard wrote:
>> Date: Thursday, March 24, 2016 14:10:41 +
>> From: Always Learning 
>> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:
>>
>>> What purpose does it serve? I don't object to it being there
>>>  but I also don't see a benefit to it being there.
>>>
>>> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS 
>>> developers to emulate...
>>
>> Spread the successful Centos 'brand name' :-)
>
> The user-agent string is one of the items used in uniquely
> identifying/fingerprinting a user/machine, so the more generic it is
> the better. Including the details of the OS add to the "bits of
> identifying information" available to trackers.
>
> See the EFF testing site for more details:
>
>
>
--

aware of panopticlick.

if you have a file in profile directory, add this to it. if not,
create file and paste this in it.

  //set user agent to blank
  user_pref("general.useragent.override", " ");

what makes you get a unique rating is that you report no agent. only
info any site will know about you is your ip address.

if you want to hide that, use a proxy server. ((GBWG))


-- 
peace out.

If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.

CentOS GNU/Linux 6.7

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Johnny Hughes 
On 03/24/2016 10:48 AM, Johnny Hughes wrote:
> On 03/24/2016 03:54 AM, Leon Fauster wrote:
>> Am 24.03.2016 um 04:21 schrieb Always Learning :
>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>> readline 5.1
>>
>>
>>
>> Current version on C5 is mysql55, 5.0 does not get any updates anymore!
>>
> 
> Let me reiterate this:
> 
> the mysql-5.0.95* packages are not supported.  A very long time ago, Red
> Hat upgraded mysql for el5 to an SCL.  The current supported version is:
> 
> 
> mysql55-mysql-5.5.45-1.el5*
> 
> I guarantee that the 5.0.95 packages have security issues. Here is how
> to move to the newer mysql55 packages:
> 
> http://red.ht/1pAcb7q
> 
> I can't stress enough, mysql-5.0 on el5 is absolutely not updated
> security wise.  The last update to it happened on 22-Jan-2013 and was in
> CentOS-5.9 .. we are now in 5.11 and there have been upgrades to mysql55
> since then to fix security issues.
> 
> Here is more info on this MySQL 5.0 to 5.5 upgrade, that was required
> starting in CentOS 5.10.
> 
> http://red.ht/1o8VkHN
> 
> http://red.ht/1UK30hR
> 
> http://red.ht/1q48NT5

This shoule not be news to anyone .. it was in the CentOS-5.10 release
notes:

https://wiki.centos.org/Manuals/ReleaseNotes/CentOS5.10

(first two bullets in 'New Features' section)

There were also discussions on this list:

https://lists.centos.org/pipermail/centos/2013-October/137939.html

Thanks,
Johnny Hughes









signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Johnny Hughes 
On 03/24/2016 03:54 AM, Leon Fauster wrote:
> Am 24.03.2016 um 04:21 schrieb Always Learning :
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
> 
> 
> 
> Current version on C5 is mysql55, 5.0 does not get any updates anymore!
> 

Let me reiterate this:

the mysql-5.0.95* packages are not supported.  A very long time ago, Red
Hat upgraded mysql for el5 to an SCL.  The current supported version is:


mysql55-mysql-5.5.45-1.el5*

I guarantee that the 5.0.95 packages have security issues. Here is how
to move to the newer mysql55 packages:

http://red.ht/1pAcb7q

I can't stress enough, mysql-5.0 on el5 is absolutely not updated
security wise.  The last update to it happened on 22-Jan-2013 and was in
CentOS-5.9 .. we are now in 5.11 and there have been upgrades to mysql55
since then to fix security issues.

Here is more info on this MySQL 5.0 to 5.5 upgrade, that was required
starting in CentOS 5.10.

http://red.ht/1o8VkHN

http://red.ht/1UK30hR

http://red.ht/1q48NT5

Thanks,
Johnny Hughes




signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread g 


On 03/24/16 09:10, Always Learning wrote:
> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:
>
>> What purpose does it serve? I don't object to it being there
>>  but I also don't see a benefit to it being there.
>>
>> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS 
>> developers to emulate...
>
> Spread the successful Centos 'brand name' :-)
>
--

see my reply to Richard.


-- 
peace out.

If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.

CentOS GNU/Linux 6.7

tc,hago.

g
.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Valeri Galtsev 

On Thu, March 24, 2016 10:32 am, Alice Wonder wrote:
> On 03/24/2016 08:28 AM, m.r...@5-cent.us wrote:
>> Valeri Galtsev wrote:
>>>
>>> On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote:
 Valeri Galtsev wrote:
> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
 >
> Indeed. There are several flaws in how mysql handles data. This is
> why

 Ok, do you have a link or two to info about that?
>>>
>>> Mark, you seemed to snip away the link to presentation on youtube :
>>>
>>> https://www.youtube.com/watch?v=1PoFIohBSM4
>>>
>> Oh. I really dislike videos of people explaining something I could read,
>> if they'd just typed it up (I mean the author, not you). But I
>> suppose
>> I'll watch it.
>
> I'm with you there. It is getting worse because people are trying to
> monetize it with the ads that YouTube plays first.
>
> But you can't scan it, easily move back when you need to, etc.
>
> I wish more online help and tutorials were text like they use to be.

I agree with you both, gentlemen. But I gave the link I had handy. It is
kind of laziness on my part, I admit: I decided to not invest into search
of convenient equivalent, and gave something I already had reference to,
letting those who are interested find out either from this video or find
better - readable - source. If someone finds better source, I would
appreciate it. As my users will benefit if I refer them to better
digestible presentation. Thanks in advance!

Valeri


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Valeri Galtsev 

On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote:
> Valeri Galtsev wrote:
>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>> readline 5.1
> >
>> Indeed. There are several flaws in how mysql handles data. This is why
>> to
>
> Ok, do you have a link or two to info about that?

Mark, you seemed to snip away the link to presentation on youtube :

https://www.youtube.com/watch?v=1PoFIohBSM4

which I gave in my post. That even though a bit old, was instructive for me.

>
>> the best of my ability I am trying to avoid mysql, and use postgresql if
>> whatever chunk of software I need is designed to work also with
>> postgresql. And I recommend developers I work with/for the same (to use
>
> We seem to be moving to postgresql.

Great!

> I find I do not like it - it's much
> more of a pain to work with than mysql is. Do you have any opinions about
> meria d/b? Are there improvements over the flaws you're aware of with
> mysql?

Mariadb being a fork of mysql likely inherited mysql's "inconsistencies".
Not that I would say mysql (and mariadb surely) folks are not working on
improvements. E.g., the default installation of latest mysql does not have
any accounts with empty password (I was weeding these away for years with
every new installation of mysql. Oh, well, maybe I'm wrong, as this I just
had seen fixed on FreeBSD, so it is possible that package maintainer did
this nice cleaning). I'm not the one who can have any opinion on something
 (mariadb) which he doesn't use, still...

Valeri

> 
>
> mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Alice Wonder 

On 03/24/2016 08:28 AM, m.r...@5-cent.us wrote:

Valeri Galtsev wrote:


On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote:

Valeri Galtsev wrote:

On Wed, March 23, 2016 10:21 pm, Always Learning wrote:

mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
readline 5.1

>

Indeed. There are several flaws in how mysql handles data. This is why


Ok, do you have a link or two to info about that?


Mark, you seemed to snip away the link to presentation on youtube :

https://www.youtube.com/watch?v=1PoFIohBSM4


Oh. I really dislike videos of people explaining something I could read,
if they'd just typed it up (I mean the author, not you). But I suppose
I'll watch it.


I'm with you there. It is getting worse because people are trying to 
monetize it with the ads that YouTube plays first.


But you can't scan it, easily move back when you need to, etc.

I wish more online help and tutorials were text like they use to be.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread m . roth 
Valeri Galtsev wrote:
>
> On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote:
>> Valeri Galtsev wrote:
>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
 mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
 readline 5.1
>> >
>>> Indeed. There are several flaws in how mysql handles data. This is why
>>
>> Ok, do you have a link or two to info about that?
>
> Mark, you seemed to snip away the link to presentation on youtube :
>
> https://www.youtube.com/watch?v=1PoFIohBSM4
>
Oh. I really dislike videos of people explaining something I could read,
if they'd just typed it up (I mean the author, not you). But I suppose
I'll watch it.

>> We seem to be moving to postgresql.
>
> Great!
>
>> I find I do not like it - it's much
>> more of a pain to work with than mysql is. Do you have any opinions
>> about meria d/b? Are there improvements over the flaws you're aware
>> of with mysql?
>
> Mariadb being a fork of mysql likely inherited mysql's "inconsistencies".
> Not that I would say mysql (and mariadb surely) folks are not working on
> improvements. E.g., the default installation of latest mysql does not have
> any accounts with empty password (I was weeding these away for years with
> every new installation of mysql. Oh, well, maybe I'm wrong, as this I just
> had seen fixed on FreeBSD, so it is possible that package maintainer did
> this nice cleaning). I'm not the one who can have any opinion on something
>  (mariadb) which he doesn't use, still...

Well, remember that it was forked after the Evil Empire took over mysql. I
just wonder if Oracle is *not* fixing some security issues... because they
obviously want you to "fix" that problem by simply buying Oracle. With
that train of thought, that's why I'm wondering if the mariad/b team *is*
fixing the issues.

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 08:00 -0700, Alice Wonder wrote:

> I would shift to CentOS 7.

With the, among others, systemd controversy I dread moving to C7. C6
works well and having just one version of an operating system simplifies
everything. I also lack sufficient time to exploring and learning the C7
differences and changes of operational logic.

C6 is, from my perspective, very similar to C5. C7 is not.


-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 14:27 +0300, Александр Кириллов wrote:

> This is obviously an application level problem. What is this php file?
> You should upgrade wordpress and remove or block access to the plugin or 
> custom page which allows sql injections.

Yes, my mistake. I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as:-

 UNION SELECT
CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45)
 --  /*

and reject any incoming string containing ' or " in addition to PHP's
strip_tags and (deprecated in later versions)
mysql_real_escape_string($_GET[''],$link);

I do not use Wordpress or anything like it.



-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Alice Wonder 

On 03/24/2016 07:33 AM, Always Learning wrote:
*snip*


Thank you. That server is the last production server on C5. I need to
shift it to C6 and Maria 10.

I am 'always learning' security is a perpetual task. Thankfully I always
read the daily logs and reports (an arduous task).

Many thanks.



I would shift to CentOS 7.

Always deploy the latest version of CentOS unless you know something you 
have absolutely will not work in it.


That's my philosophy.

That doesn't mean I upgrade as soon as a new version comes out, though I 
frequently do simply because there are advantages with the new versions 
of software.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Always Learning 

On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote:

> Always use parameterized statements (aka prepared statements) for SQL 
> that involves untrusted input.
> 
> I like to use them even for input that involves trusted input because it 
> is easy to make a change in my code and not think about how it impacts 
> the parameters.
> 
> -=-
> 
> This is an attack on WordPress ??? Or just trying to get WordPress 
> database from a different app?
> 
> Be careful with WordPress - it's database handler doesn't actually use 
> parameterized statements, it emulates them with printf - one (of many) 
> reasons I do not like the product.
> 
> If it is not an attack on WordPress directly - your WordPress database 
> should be using a different uname/pass from anything else, so actual 
> queries for data should fail.

I write my own database applications (each has its own unique user-id
and password and only essential permissions on tables) and do not use
any packaged solution. Thus no Wordpress or anything like it.

The hacker tried many variants like this - which baffle me.

' UNION SELECT (-x1-Q-,-x2-Q-,-x3-Q-,-x4-Q-,-x5-Q-,-x6-Q-)

' UNION SELECT 1,CONCAT(ddd,[X],file_priv,[XX],3,4,5,6,7,8 FROM
mysql.user limit 0,1  (I do not have mysql.user)

' UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
order by 'as

LIKE "%user%"
LIKE "%usr%"
LIKE "%phpbb%"
LIKE "»%"
LIKE "­m%"
LIKE "%member%"
LIKE "%forum%"
LIKE "%reg%"
LIKE "%moder%"
LIKE "%ftp%"
LIKE "%jos%"
LIKE "¬ces%"
LIKE "%wso%"



>> Am 24.03.2016 um 09:54:11 +0100 schrieb Leon Fauster:

>> Current version on C5 is mysql55, 5.0 does not get any updates
anymore!

Thank you. That server is the last production server on C5. I need to
shift it to C6 and Maria 10.

I am 'always learning' security is a perpetual task. Thankfully I always
read the daily logs and reports (an arduous task).

Many thanks.

-- 


Paul.
England, EU.  England's place is in the European Union amid our
European brothers and sisters and even our betters.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread m . roth 
Valeri Galtsev wrote:
> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
>
> Indeed. There are several flaws in how mysql handles data. This is why to

Ok, do you have a link or two to info about that?

> the best of my ability I am trying to avoid mysql, and use postgresql if
> whatever chunk of software I need is designed to work also with
> postgresql. And I recommend developers I work with/for the same (to use

We seem to be moving to postgresql. I find I do not like it - it's much
more of a pain to work with than mysql is. Do you have any opinions about
meria d/b? Are there improvements over the flaws you're aware of with
mysql?


mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Valeri Galtsev 

On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
>
>
> I spotted something strange and immediately installed a routine to
> automatically impose an iptables block when the key used for database
> access is excessively long.

Indeed. There are several flaws in how mysql handles data. This is why to
the best of my ability I am trying to avoid mysql, and use postgresql if
whatever chunk of software I need is designed to work also with
postgresql. And I recommend developers I work with/for the same (to use
postgresql). These are good examples:

https://www.youtube.com/watch?v=1PoFIohBSM4

I know, this may inflame [***]SQL wars here, but I hope, this will help
somewhat those who are not married to mysql (yet).

Just my $0.02

Valeri

>
> My URL was something like this
>
> ././.php?key=123456
>
> The injection was something like this
>
> ././.php?key=876711' UNION SELECT
> 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
> information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
> order by 'as
>
> There are no user permission on information_schema.
>
> There seems to be 2 versions of the coding floating around on Austrian
> and Russian IPs. One is ineffective but the other works. It seems the
> author is expert in the intricate structure and design of SQL.
>
>
>
> --
> Regards,
>
> Paul.
> England, EU.  England's place is in the European Union.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread Richard 


> Date: Thursday, March 24, 2016 14:10:41 +
> From: Always Learning 
> 
> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:
> 
>> What purpose does it serve? I don't object to it being there
>>  but I also don't see a benefit to it being there.
>> 
>> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS 
>> developers to emulate...
> 
> Spread the successful Centos 'brand name' :-)


The user-agent string is one of the items used in uniquely
identifying/fingerprinting a user/machine, so the more generic it is
the better. Including the details of the OS add to the "bits of
identifying information" available to trackers.

See the EFF testing site for more details:

   


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Alice Wonder 

On 03/24/2016 04:53 AM, Александр Кириллов wrote:

Be careful with WordPress - it's database handler doesn't actually use
parameterized statements, it emulates them with printf - one (of many)
reasons I do not like the product.


This is a rather controversial statement. There's nothing wrong with
using sprintf when building sql queries. Besides

"Using a prepared statement is not always the most efficient way of
executing a statement. A prepared statement executed only once causes
more client-server round-trips than a non-prepared statement."



The only time database has ever been a bottleneck for me is when I am 
not using something like apcu to cache query results. Use of prepared 
statements is slower for single queries never repeated but not the 
bottleneck in any application I've dealt with.


WordPress lack of genuine prepared statements has however caused me 
issues when I would like to make a query that is used more than once 
with different parameters.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos in the Browser string ?

2016-03-24 Thread Always Learning 

On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote:


> What purpose does it serve? I don't object to it being there
>  but I also don't see a benefit to it being there.
> 
> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS 
> developers to emulate...

Spread the successful Centos 'brand name' :-)

-- 
Regards,

Paul.
England, EU.  England's place is in the European Union.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] CentOS-announce Digest, Vol 133, Issue 11

2016-03-24 Thread centos-announce-request 
Send CentOS-announce mailing list submissions to
centos-annou...@centos.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
centos-announce-requ...@centos.org

You can reach the person managing the list at
centos-announce-ow...@centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CESA-2016:0492 Moderate CentOS 6 tomcat6 Security Update
  (Johnny Hughes)
   2. CESA-2016:0493 Moderate CentOS 6 krb5 SecurityUpdate
  (Johnny Hughes)
   3. CESA-2016:0491 Moderate CentOS 6 foomatic Security Update
  (Johnny Hughes)
   4. CESA-2016:0494 Moderate CentOS 6 kernel Security  Update
  (Johnny Hughes)
   5. CESA-2016:0496 Important CentOS 6 git SecurityUpdate
  (Johnny Hughes)
   6. CESA-2016:0496 Important CentOS 7 git SecurityUpdate
  (Johnny Hughes)


--

Message: 1
Date: Wed, 23 Mar 2016 13:09:57 +
From: Johnny Hughes 
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2016:0492 Moderate CentOS 6 tomcat6
SecurityUpdate
Message-ID: <20160323130957.ga38...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2016:0492 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0492.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
f8614dd38fb7e019afa699e25fc731f997d428bbd9dd50320d0f71b19f5535a7  
tomcat6-6.0.24-94.el6_7.i686.rpm
46e02d37f713c5edbae3dcf040f0642287260f93c9a1cbd5dbd0d2693c102382  
tomcat6-admin-webapps-6.0.24-94.el6_7.i686.rpm
82fc56750818f61e89eab739bcb26dd002640d069cdeb0ef84154b462ea51837  
tomcat6-docs-webapp-6.0.24-94.el6_7.i686.rpm
fefd36854a7040b0b814fa106ebf9f742a961242e92e367005c6ead63853886f  
tomcat6-el-2.1-api-6.0.24-94.el6_7.i686.rpm
019ea8a80237a40156f71082d367f13d33fbb7aa912c3af287fb3e40962681b3  
tomcat6-javadoc-6.0.24-94.el6_7.i686.rpm
80c2a2765d5f74c3c1c217e64cef26b954d7af04e52f647979924c945b1bad57  
tomcat6-jsp-2.1-api-6.0.24-94.el6_7.i686.rpm
9d893e38fff5735bc172848045862c20bffcef0b3b139d314729eeb677b25810  
tomcat6-lib-6.0.24-94.el6_7.i686.rpm
9cafcac19f81f93c987f2d165c7ea5e98025f69084a928209eecb73fac65ff18  
tomcat6-servlet-2.5-api-6.0.24-94.el6_7.i686.rpm
b126c331e5ea8d820b3c1e6237d96969d22a9e2a197872eeba878bf753c18b12  
tomcat6-webapps-6.0.24-94.el6_7.i686.rpm

x86_64:
5c7b1d88821eeb3f81384b27b18689a7b78d3ea8380c10d2521a2949eac52806  
tomcat6-6.0.24-94.el6_7.x86_64.rpm
4ee7ed55677887523bd064e3d5ae46a5152d14c7be7fab8b7c1e890cf87c217b  
tomcat6-admin-webapps-6.0.24-94.el6_7.x86_64.rpm
32ab28e638d1003fc21407b6cfd15c28d92d22c40fb04d91b607205cd7eaea12  
tomcat6-docs-webapp-6.0.24-94.el6_7.x86_64.rpm
9924b5b670d4be16a0df7bfbf690db353dad980bd960399f2e89e4b79679b0b0  
tomcat6-el-2.1-api-6.0.24-94.el6_7.x86_64.rpm
715eef5bdd8e7f0126bbe9e9bdbeacd333bbcdd5c484ed7c8ecd9b718a37255c  
tomcat6-javadoc-6.0.24-94.el6_7.x86_64.rpm
256bd12729ef9468397f58eb7ddd59c09e95ec4c7dfa97542d9b2ee0ba4bc24c  
tomcat6-jsp-2.1-api-6.0.24-94.el6_7.x86_64.rpm
ee014887ba7baa2f049e0177727cb65043610bc3fd2e1470d623953ee9e459bc  
tomcat6-lib-6.0.24-94.el6_7.x86_64.rpm
53c6ab13f86498330cee66850df0d749f8822b8231ac9af0c9e0c424f53bf3a6  
tomcat6-servlet-2.5-api-6.0.24-94.el6_7.x86_64.rpm
f7350eb3574d8a43df55f3ca15dfefa2e06de538465d5df4a6b40ae48e486648  
tomcat6-webapps-6.0.24-94.el6_7.x86_64.rpm

Source:
2bde7fdacb5e7b67ec2ffd165597cff21c192c996a721a9be3a31d3199c17e5d  
tomcat6-6.0.24-94.el6_7.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #cen...@irc.freenode.net
Twitter: @JohnnyCentOS



--

Message: 2
Date: Wed, 23 Mar 2016 13:10:27 +
From: Johnny Hughes 
To: centos-annou...@centos.org
Subject: [CentOS-announce] CESA-2016:0493 Moderate CentOS 6 krb5
SecurityUpdate
Message-ID: <20160323131027.ga38...@n04.lon1.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2016:0493 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0493.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
7d8bb7f093e34e23784d932fa81189657342447f31ae1b8d5db6ac6e03b1baf3  
krb5-devel-1.10.3-42z1.el6_7.i686.rpm
d558d908cecd66ad67532f09fe8646d8878fb1b9f22840f8ed8f98ddd1ddad41  
krb5-libs-1.10.3-42z1.el6_7.i686.rpm
c404d2a65af89a8f51260589fb5e0681fd4f0919eb1ea97acb0bc63f221efc84  
krb5-pkinit-openssl-1.10.3-42z1.el6_7.i686.rpm
790c2fd8cb816a96dc622ba1400cc1d4f29a332254ffd3119627c41598f2b041  
krb5-server-1.10.3-42z1.el6_7.i686.rpm

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Александр Кириллов 

Be careful with WordPress - it's database handler doesn't actually use
parameterized statements, it emulates them with printf - one (of many)
reasons I do not like the product.


This is a rather controversial statement. There's nothing wrong with 
using sprintf when building sql queries. Besides


"Using a prepared statement is not always the most efficient way of 
executing a statement. A prepared statement executed only once causes 
more client-server round-trips than a non-prepared statement."


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Александр Кириллов 

This is obviously an application level problem. What is this php file?
You should upgrade wordpress and remove or block access to the plugin or 
custom page which allows sql injections.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Alice Wonder 

On 03/23/2016 08:21 PM, Always Learning wrote:

mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
readline 5.1


I spotted something strange and immediately installed a routine to
automatically impose an iptables block when the key used for database
access is excessively long.

My URL was something like this

././.php?key=123456

The injection was something like this

././.php?key=876711' UNION SELECT
13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%"   -- /*
order by 'as

There are no user permission on information_schema.

There seems to be 2 versions of the coding floating around on Austrian
and Russian IPs. One is ineffective but the other works. It seems the
author is expert in the intricate structure and design of SQL.





Always use parameterized statements (aka prepared statements) for SQL 
that involves untrusted input.


I like to use them even for input that involves trusted input because it 
is easy to make a change in my code and not think about how it impacts 
the parameters.


-=-

This is an attack on WordPress ??? Or just trying to get WordPress 
database from a different app?


Be careful with WordPress - it's database handler doesn't actually use 
parameterized statements, it emulates them with printf - one (of many) 
reasons I do not like the product.


If it is not an attack on WordPress directly - your WordPress database 
should be using a different uname/pass from anything else, so actual 
queries for data should fail.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C5 MySQL injection attack ("Union Select")

2016-03-24 Thread Leon Fauster 
Am 24.03.2016 um 04:21 schrieb Always Learning :
> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1



Current version on C5 is mysql55, 5.0 does not get any updates anymore!

--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos