Re: FW: [USN-1017-1] MySQL vulnerabilities
You seem to see threats as a "black and white" problem. Put enough "what ifs" in front of a statement, and nothing anywhere has any security at all. On 15 Nov 10, at 23:30, mysql-digest-h...@lists.mysql.com wrote: > From: "Daevid Vincent" > Date: 14 November 2010 13:22:02 PST > To: > Subject: RE: FW: [USN-1017-1] MySQL vulnerabilities > > > I don't think you understand how many exploits work. Through some social > engineering or plain brute force or rainbow tables I can get the user/pass > for many typical users. I could also give you some code and tell you to run > it and thereby my code is executed as an "authenticated user" without you > even knowing it. And here's another statistic you might not be aware of -- > most "hacking" attempts are done BY people INSIDE a company, not external to > it. It's extremely foolish and short-sighted to think that your system is > safe unless it's in a "glass jar" and YOU are the ONLY user on it. Even > then, YOUR account could be compromised too. Thought is the sculptor who can create the person you want to be. -- Henry David Thoreau Jan Steinman, EcoReality Co-op -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: FW: [USN-1017-1] MySQL vulnerabilities
I do hope you're not suggesting your database servers are publicly accessible. Mine are behind the firewall, completely blocked off from anything but the application servers; and in most cases even behind a second firewall that shields the backend network from the DMZ. While any vulnerability is a bad thing, you'll first need to gain access to the application servers before you can hope to get to the database servers. Of course, if you get on the application servers, finding the passwords is trivial; but in some cases, there's still a layer of presentation (web) servers in front of the actual application servers. At that level, there's mod_security, suhosin, maybe level-7 filtering on the firewall, et cetera. Security, like ogres, is like onions: it has layers. On Sun, Nov 14, 2010 at 10:22 PM, Daevid Vincent wrote: > I don't think you understand how many exploits work. Through some social > engineering or plain brute force or rainbow tables I can get the user/pass > for many typical users. I could also give you some code and tell you to run > it and thereby my code is executed as an "authenticated user" without you > even knowing it. And here's another statistic you might not be aware of -- > most "hacking" attempts are done BY people INSIDE a company, not external > to > it. It's extremely foolish and short-sighted to think that your system is > safe unless it's in a "glass jar" and YOU are the ONLY user on it. Even > then, YOUR account could be compromised too. > > -Original Message- > From: Jan Steinman [mailto:j...@bytesmiths.com] > Sent: Saturday, November 13, 2010 1:33 PM > To: mysql@lists.mysql.com > Subject: RE: FW: [USN-1017-1] MySQL vulnerabilities > > > From: "Daevid Vincent" > > > > my point exactly. there is NONE. and if you don't patch your mysql as > > needed, then you will need a lot more help when you're hacked. ;-p > > I note that the impact of every single one of these vulnerabilities was "An > authenticated user could exploit this to make MySQL crash, causing a denial > of service." > > That's a pretty low threat level. No mention was made of gaining or > increasing access, nor of corrupting data. > > First, you need an "authenticated user" who is trying to "exploit" a > vulnerability to cause "denial of service." > > If you're allowing a publicly accessible pseudo-user to exploit such > vulnerabilities through script injection, that's YOUR problem! > > If an "authenticated user" causes a "MySQL crash" on my system, they get > de-authenticated pretty quickly. :-) > > > No rational person can see how using up the topsoil or the fossil fuels as > quickly as possible can provide greater security for the future, but if > enough wealth and power can conjure up the audacity to say that it can, > then > sheer fantasy is given the force of truth; the future becomes reckonable as > even the past has never been. -- Wendell Berry > Jan Steinman, EcoReality Co-op > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe:http://lists.mysql.com/mysql?unsub=dae...@daevid.com > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe:http://lists.mysql.com/mysql?unsub=vegiv...@tuxera.be > > -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel
RE: FW: [USN-1017-1] MySQL vulnerabilities
I don't think you understand how many exploits work. Through some social engineering or plain brute force or rainbow tables I can get the user/pass for many typical users. I could also give you some code and tell you to run it and thereby my code is executed as an "authenticated user" without you even knowing it. And here's another statistic you might not be aware of -- most "hacking" attempts are done BY people INSIDE a company, not external to it. It's extremely foolish and short-sighted to think that your system is safe unless it's in a "glass jar" and YOU are the ONLY user on it. Even then, YOUR account could be compromised too. -Original Message- From: Jan Steinman [mailto:j...@bytesmiths.com] Sent: Saturday, November 13, 2010 1:33 PM To: mysql@lists.mysql.com Subject: RE: FW: [USN-1017-1] MySQL vulnerabilities > From: "Daevid Vincent" > > my point exactly. there is NONE. and if you don't patch your mysql as > needed, then you will need a lot more help when you're hacked. ;-p I note that the impact of every single one of these vulnerabilities was "An authenticated user could exploit this to make MySQL crash, causing a denial of service." That's a pretty low threat level. No mention was made of gaining or increasing access, nor of corrupting data. First, you need an "authenticated user" who is trying to "exploit" a vulnerability to cause "denial of service." If you're allowing a publicly accessible pseudo-user to exploit such vulnerabilities through script injection, that's YOUR problem! If an "authenticated user" causes a "MySQL crash" on my system, they get de-authenticated pretty quickly. :-) No rational person can see how using up the topsoil or the fossil fuels as quickly as possible can provide greater security for the future, but if enough wealth and power can conjure up the audacity to say that it can, then sheer fantasy is given the force of truth; the future becomes reckonable as even the past has never been. -- Wendell Berry Jan Steinman, EcoReality Co-op -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=dae...@daevid.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: FW: [USN-1017-1] MySQL vulnerabilities
> From: "Daevid Vincent" > > my point exactly. there is NONE. and if you don't patch your mysql as > needed, then you will need a lot more help when you're hacked. ;-p I note that the impact of every single one of these vulnerabilities was "An authenticated user could exploit this to make MySQL crash, causing a denial of service." That's a pretty low threat level. No mention was made of gaining or increasing access, nor of corrupting data. First, you need an "authenticated user" who is trying to "exploit" a vulnerability to cause "denial of service." If you're allowing a publicly accessible pseudo-user to exploit such vulnerabilities through script injection, that's YOUR problem! If an "authenticated user" causes a "MySQL crash" on my system, they get de-authenticated pretty quickly. :-) No rational person can see how using up the topsoil or the fossil fuels as quickly as possible can provide greater security for the future, but if enough wealth and power can conjure up the audacity to say that it can, then sheer fantasy is given the force of truth; the future becomes reckonable as even the past has never been. -- Wendell Berry Jan Steinman, EcoReality Co-op -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: FW: [USN-1017-1] MySQL vulnerabilities
On Fri, Nov 12, 2010 at 3:23 PM, Gael wrote: > On Fri, Nov 12, 2010 at 4:12 PM, Daevid Vincent wrote: > >> my point exactly. there is NONE. and if you don't patch your mysql as >> needed, then you will need a lot more help when you're hacked. ;-p >> >> http://lists.mysql.com/ >> > On May 21 they sent out an email about MySQL Server 5.0.91 being released. I for one read release notes for each point release and had a *very* busy night. -- Rob Wultsch wult...@gmail.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: FW: [USN-1017-1] MySQL vulnerabilities
On Fri, Nov 12, 2010 at 4:12 PM, Daevid Vincent wrote: > my point exactly. there is NONE. and if you don't patch your mysql as > needed, then you will need a lot more help when you're hacked. ;-p > > http://lists.mysql.com/ > > > > Daevid, You may want to read http://dev.mysql.com/tech-resources/articles/security_vulnerabilities.html You can send feedback there. Regards -- Gael Martinez
RE: FW: [USN-1017-1] MySQL vulnerabilities
my point exactly. there is NONE. and if you don't patch your mysql as needed, then you will need a lot more help when you're hacked. ;-p http://lists.mysql.com/ _ From: vegiv...@gmail.com [mailto:vegiv...@gmail.com] On Behalf Of Johan De Meersman Sent: Friday, November 12, 2010 12:18 PM To: Daevid Vincent Cc: mysql Subject: Re: FW: [USN-1017-1] MySQL vulnerabilities I suspect that that is because this is not a security list, but a general help list. If you want those things, you'll get them from either your vendor, bugtraq, or the mysql security-specific mailing list that undoubtedly exists somewhere. Don't ask me where, though - I'm not on it either :-) On Fri, Nov 12, 2010 at 8:02 PM, Daevid Vincent wrote: How come these kinds of notices are not sent to the mysql list? I realize this particular one is from Ubuntu, but the vulnerability is not ubuntu specific, it's mysql. Why aren't the mysql, er um, Oracle people more pro-active about letting us know these things? -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel
Re: FW: [USN-1017-1] MySQL vulnerabilities
I suspect that that is because this is not a security list, but a general help list. If you want those things, you'll get them from either your vendor, bugtraq, or the mysql security-specific mailing list that undoubtedly exists somewhere. Don't ask me where, though - I'm not on it either :-) On Fri, Nov 12, 2010 at 8:02 PM, Daevid Vincent wrote: > How come these kinds of notices are not sent to the mysql list? I realize > this particular one is from Ubuntu, but the vulnerability is not ubuntu > specific, it's mysql. Why aren't the mysql, er um, Oracle people more > pro-active about letting us know these things? > -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel