Re: FW: [USN-1017-1] MySQL vulnerabilities
I do hope you're not suggesting your database servers are publicly accessible. Mine are behind the firewall, completely blocked off from anything but the application servers; and in most cases even behind a second firewall that shields the backend network from the DMZ. While any vulnerability is a bad thing, you'll first need to gain access to the application servers before you can hope to get to the database servers. Of course, if you get on the application servers, finding the passwords is trivial; but in some cases, there's still a layer of presentation (web) servers in front of the actual application servers. At that level, there's mod_security, suhosin, maybe level-7 filtering on the firewall, et cetera. Security, like ogres, is like onions: it has layers. On Sun, Nov 14, 2010 at 10:22 PM, Daevid Vincent dae...@daevid.com wrote: I don't think you understand how many exploits work. Through some social engineering or plain brute force or rainbow tables I can get the user/pass for many typical users. I could also give you some code and tell you to run it and thereby my code is executed as an authenticated user without you even knowing it. And here's another statistic you might not be aware of -- most hacking attempts are done BY people INSIDE a company, not external to it. It's extremely foolish and short-sighted to think that your system is safe unless it's in a glass jar and YOU are the ONLY user on it. Even then, YOUR account could be compromised too. -Original Message- From: Jan Steinman [mailto:j...@bytesmiths.com] Sent: Saturday, November 13, 2010 1:33 PM To: mysql@lists.mysql.com Subject: RE: FW: [USN-1017-1] MySQL vulnerabilities From: Daevid Vincent dae...@daevid.com my point exactly. there is NONE. and if you don't patch your mysql as needed, then you will need a lot more help when you're hacked. ;-p I note that the impact of every single one of these vulnerabilities was An authenticated user could exploit this to make MySQL crash, causing a denial of service. That's a pretty low threat level. No mention was made of gaining or increasing access, nor of corrupting data. First, you need an authenticated user who is trying to exploit a vulnerability to cause denial of service. If you're allowing a publicly accessible pseudo-user to exploit such vulnerabilities through script injection, that's YOUR problem! If an authenticated user causes a MySQL crash on my system, they get de-authenticated pretty quickly. :-) No rational person can see how using up the topsoil or the fossil fuels as quickly as possible can provide greater security for the future, but if enough wealth and power can conjure up the audacity to say that it can, then sheer fantasy is given the force of truth; the future becomes reckonable as even the past has never been. -- Wendell Berry Jan Steinman, EcoReality Co-op -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=dae...@daevid.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=vegiv...@tuxera.be -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel
Re: Oracle imports into MySQL
Hi Machiel, I'm not sure if you like the method I use for Export from Oracle to MySQL databases: You need an ODBC DSN for each, source and destination DB. Then you create an empty Access Database with a link to the Oracle Source table. If the destination MySQL table doesn't yet exists, you can export the linked oracle table directly into the existing ODBC-DSN of the MySQL DB. If (later on) the destination MySQL table exists, you can create an Add-Query that inserts selected rows from the Oracle table to the end of the MySQL table. These actions could be placed into macros (Access 'autoexec' for example) and in scheduled jobs of your operating system (I hope it's Windows, because you didn't say anything about that). If you don't like the Access built-in Visual Basic language, you can use any other programming language that has components to access to ODBC databases like Borland/Embarcadero C++Builder/Delphi or Microsoft Visual C++ etc. Hope this helps. Guido Machiel Richards machi...@rdc.co.za schrieb im Newsbeitrag news:1289457988.2320.27.ca...@machielr-laptop... Good day all I am hoping that someone has got some more answers for me on the topic as most of the websites which have not been very useful. All websites I have found thus far reffers to software that either needs to be bought or otherwise need to be run manually. One of our clients are currently running MySQL for their web based systems, however all other systems are running oracle. There is a current data load process from oracle that generates a dump file of specific data, goes through a convertion process, gets imported into a mysql runnign on VM to test import, then gets pushed to MySQL production. This process was put in place quite some time ago by developers. At some stage I read something about this process not being required from MySQL 5 onwards and data imports from oracle is less troublesome. The import process needs to run every 30 minutes and the current process is too troublesome. We are busy plannign a hardware migration for the systems and are also looking at improving these processes. Does anybody have experience with this to perhaps provide me with some info on how we can improve this import process? Any assistance will be appreciated. Regards Machiel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Compile error on MySQL 5.5.7 rc version,help!
hi,everyone: i need your helps,really!! this is my second compiling-failed on building my own MySQL already.previous is version 5.5.6 rc,now is 5.5.7 rc. my build environment is centos 5 x86,full name is Linux PowerPC 2.6.18-194.8.1.el5.028stab070.5 #1 SMP Fri Sep 17 19:10:36 MSD 2010 i686 i686 i386 GNU/Linux. i download the last dev branch of version 5.5.x's source tarball from MySQL's http mirror,then unpack it. this is my configure strings: [r...@powerpc mysql-5.5.7-rc]# ./configure \ --prefix=/usr/local/mysql \ --exec-prefix=/usr/local \ --sysconfdir=/etc/sysconfig/mysql \ --localstatedir=/var/run \ --enable-profiling \ --disable-largefile \ --disable-ipv6 \ --with-charset=utf8 \ --with-extra-charsets=all \ --with-unix-socket-path=/tmp/mysql.sock \ --with-mysqld-user=mysql \ --with-zlib-dir=bundled \ --with-low-memory \ --with-embedded-server \ --without-geometry \ --with-embedded-privilege-control \ --without-docs \ --without-man no error warning reported this step. then going to MAKE it,and the errors below break it. regex -I../../sql -I. -g -O2 -DUNIV_LINUX -MT mi_static.o -MD -MP -MF .deps/mi_static.Tpo -c -o mi_static.o mi_static.c mi_static.c:40: error: conflicting types for ‘myisam_max_temp_length’ ../../include/myisam.h:254: error: previous declaration of ‘myisam_max_temp_length’ was here make[2]: *** [mi_static.o] Error 1 make[2]: Leaving directory `/root/mysql-5.5.7-rc/storage/myisam' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/mysql-5.5.7-rc/storage' make: *** [all-recursive] Error 1 what should i do now? thanks for any tips. -- Best regards, Sharl.Jimh.Tsin (From China *Obviously Taiwan INCLUDED*) -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
