Re: Security issues
In infinite wisdom "Jerry Schwartz" wrote: > Back when this was a day-to-day concern of mine, I used to check CERT's > website (the section now known as their "Vulnerability Notes Database", > http://www.kb.cert.org/vuls). If securing the database is your job, then you really need to drink from the firehose that is called "full-disclosure". -- Raj Shekhar - If there's anything more important than my ego around, I want it caught and shot now. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: Security issues
Back when this was a day-to-day concern of mine, I used to check CERT's website (the section now known as their "Vulnerability Notes Database", http://www.kb.cert.org/vuls). Unfortunately, I see that the last entry for MySQL is from years ago. Regards, Jerry Schwartz Global Information Incorporated 195 Farmington Ave. Farmington, CT 06032 860.674.8796 / FAX: 860.674.8341 www.the-infoshop.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: Security issues
Good Morning Rob- I agree with you that security is a very serious topic and should be addressed as such Please read security alert page listed at tech-resources http://dev.mysql.com/tech-resources/articles/security_alert.html I hope this addresses your question, Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > From: wult...@gmail.com > Date: Mon, 24 May 2010 13:45:35 -0700 > Subject: Re: Security issues > To: mgai...@hotmail.com > CC: je...@gii.co.jp; mysql@lists.mysql.com > > On Mon, May 24, 2010 at 1:42 PM, Martin Gainty wrote: > > Good Afternoon Rob- > > > > if you're implementing either glassfish or weblogic webserver > > your "best fit solution" would be Oracle Identity Manager > > > > there are 'other' identity solutions such as RSA which are > > 1)far more complex .. > > 2)virtually hackproof.. > > at random intervals RSA implements an alternate encryption algorithm with an > > alternate keysize > > > > RSA issues smart cards which contain sufficient biometric information > > to authenticate you > > (and pass the authentication token to the OS) > > > > does this help? > > Martin Gainty > > I am explicitly not setting up identity solutions or anything else. > All I want is a page from mysql which lists security issues.and what > versions are effected. I don't think that this is such an insane > thought... > > > -- > Rob Wultsch > wult...@gmail.com > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=mgai...@hotmail.com > _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
Re: Security issues
On Mon, May 24, 2010 at 1:42 PM, Martin Gainty wrote: > Good Afternoon Rob- > > if you're implementing either glassfish or weblogic webserver > your "best fit solution" would be Oracle Identity Manager > > there are 'other' identity solutions such as RSA which are > 1)far more complex .. > 2)virtually hackproof.. > at random intervals RSA implements an alternate encryption algorithm with an > alternate keysize > > RSA issues smart cards which contain sufficient biometric information > to authenticate you > (and pass the authentication token to the OS) > > does this help? > Martin Gainty I am explicitly not setting up identity solutions or anything else. All I want is a page from mysql which lists security issues.and what versions are effected. I don't think that this is such an insane thought... -- Rob Wultsch wult...@gmail.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: Security issues
Good Afternoon Rob- if you're implementing either glassfish or weblogic webserver your "best fit solution" would be Oracle Identity Manager there are 'other' identity solutions such as RSA which are 1)far more complex .. 2)virtually hackproof.. at random intervals RSA implements an alternate encryption algorithm with an alternate keysize RSA issues smart cards which contain sufficient biometric information to authenticate you (and pass the authentication token to the OS) does this help? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > From: wult...@gmail.com > Date: Mon, 24 May 2010 13:27:52 -0700 > Subject: Re: Security issues > To: je...@gii.co.jp > CC: mgai...@hotmail.com; mysql@lists.mysql.com > > On Mon, May 24, 2010 at 12:07 PM, Jerry Schwartz wrote: > >>-Original Message- > >>From: Rob Wultsch [mailto:wult...@gmail.com] > >>Sent: Saturday, May 22, 2010 11:52 AM > >>To: Martin Gainty > >>Cc: mysql@lists.mysql.com > >>Subject: Re: Security issues > >> > >>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote: > >>> Good Morning Rob- > >>> > >>> one vulnerability (with UDFs) > >>> http://dev.mysql.com/tech-resources/articles/security_alert.html > >>> > >>> a manager considering a enterprise-wide security solution may want > >>> to consider Oracle Identity Manager (with Glassfish 3.2) > >>> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish- > >>556/ > >>> > >>> Does this help? > >>> Martin Gainty > >> > >>Martin, > >> > >>Thank you for the reply. > >> > >>The guys across the street have a single page with cliff notes about > >>every vulnerability effecting every supported version*. The page I > >>noted was comprehensive. Martin, what you listed was a page with an > >>single vuln and a page which looks like a product. > >> > > [JS] This is always a tough call for a software developer. On the one hand, > > announcing an unfixed problem alerts users; but at the same time, it also > > alerts abusers. Some companies go one way, some go the other. > > > > Regards, > > > > Jerry Schwartz > > Global Information Incorporated > > 195 Farmington Ave. > > Farmington, CT 06032 > > > > 860.674.8796 / FAX: 860.674.8341 > > > I explicitly do not want a list of unfixed problems. I want a list of > fixed issues and what versions are effected. > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=mgai...@hotmail.com > _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
Re: Security issues
On Mon, May 24, 2010 at 12:07 PM, Jerry Schwartz wrote: >>-Original Message- >>From: Rob Wultsch [mailto:wult...@gmail.com] >>Sent: Saturday, May 22, 2010 11:52 AM >>To: Martin Gainty >>Cc: mysql@lists.mysql.com >>Subject: Re: Security issues >> >>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote: >>> Good Morning Rob- >>> >>> one vulnerability (with UDFs) >>> http://dev.mysql.com/tech-resources/articles/security_alert.html >>> >>> a manager considering a enterprise-wide security solution may want >>> to consider Oracle Identity Manager (with Glassfish 3.2) >>> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish- >>556/ >>> >>> Does this help? >>> Martin Gainty >> >>Martin, >> >>Thank you for the reply. >> >>The guys across the street have a single page with cliff notes about >>every vulnerability effecting every supported version*. The page I >>noted was comprehensive. Martin, what you listed was a page with an >>single vuln and a page which looks like a product. >> > [JS] This is always a tough call for a software developer. On the one hand, > announcing an unfixed problem alerts users; but at the same time, it also > alerts abusers. Some companies go one way, some go the other. > > Regards, > > Jerry Schwartz > Global Information Incorporated > 195 Farmington Ave. > Farmington, CT 06032 > > 860.674.8796 / FAX: 860.674.8341 I explicitly do not want a list of unfixed problems. I want a list of fixed issues and what versions are effected. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: Security issues
>-Original Message- >From: Rob Wultsch [mailto:wult...@gmail.com] >Sent: Saturday, May 22, 2010 11:52 AM >To: Martin Gainty >Cc: mysql@lists.mysql.com >Subject: Re: Security issues > >On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote: >> Good Morning Rob- >> >> one vulnerability (with UDFs) >> http://dev.mysql.com/tech-resources/articles/security_alert.html >> >> a manager considering a enterprise-wide security solution may want >> to consider Oracle Identity Manager (with Glassfish 3.2) >> http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish- >556/ >> >> Does this help? >> Martin Gainty > >Martin, > >Thank you for the reply. > >The guys across the street have a single page with cliff notes about >every vulnerability effecting every supported version*. The page I >noted was comprehensive. Martin, what you listed was a page with an >single vuln and a page which looks like a product. > [JS] This is always a tough call for a software developer. On the one hand, announcing an unfixed problem alerts users; but at the same time, it also alerts abusers. Some companies go one way, some go the other. Regards, Jerry Schwartz Global Information Incorporated 195 Farmington Ave. Farmington, CT 06032 860.674.8796 / FAX: 860.674.8341 www.the-infoshop.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Security issues
You could use CVE, Postgre's security page doesn't seem to sync with their CVE entries, even though they reference CVE entries on their comprehensive security page. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql JW On Sat, May 22, 2010 at 10:51 AM, Rob Wultsch wrote: > On Sat, May 22, 2010 at 5:44 AM, Martin Gainty > wrote: > > Good Morning Rob- > > > > one vulnerability (with UDFs) > > http://dev.mysql.com/tech-resources/articles/security_alert.html > > > > a manager considering a enterprise-wide security solution may want > > to consider Oracle Identity Manager (with Glassfish 3.2) > > > http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-556/ > > > > Does this help? > > Martin Gainty > > Martin, > > Thank you for the reply. > > The guys across the street have a single page with cliff notes about > every vulnerability effecting every supported version*. The page I > noted was comprehensive. Martin, what you listed was a page with an > single vuln and a page which looks like a product. > > The grass is looking pretty darn green on the other side of the street. > > *And they support all the way back to 7.4, which is equivalent to 4.1 > era. 2005 is not that long ago. > -- > Rob Wultsch > wult...@gmail.com > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe:http://lists.mysql.com/mysql?unsub=joh...@pixelated.net > > -- - Johnny Withers 601.209.4985 joh...@pixelated.net
Re: Security issues
On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote: > Good Morning Rob- > > one vulnerability (with UDFs) > http://dev.mysql.com/tech-resources/articles/security_alert.html > > a manager considering a enterprise-wide security solution may want > to consider Oracle Identity Manager (with Glassfish 3.2) > http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-556/ > > Does this help? > Martin Gainty Martin, Thank you for the reply. The guys across the street have a single page with cliff notes about every vulnerability effecting every supported version*. The page I noted was comprehensive. Martin, what you listed was a page with an single vuln and a page which looks like a product. The grass is looking pretty darn green on the other side of the street. *And they support all the way back to 7.4, which is equivalent to 4.1 era. 2005 is not that long ago. -- Rob Wultsch wult...@gmail.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
RE: Security issues
Good Morning Rob- one vulnerability (with UDFs) http://dev.mysql.com/tech-resources/articles/security_alert.html a manager considering a enterprise-wide security solution may want to consider Oracle Identity Manager (with Glassfish 3.2) http://under-linux.org/en/content/oracle-introduces-schedule-for-glassfish-556/ Does this help? Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > From: wult...@gmail.com > Date: Fri, 21 May 2010 22:50:06 -0700 > Subject: Security issues > To: mysql@lists.mysql.com > > Given the rather serious recent bug fixes I have been thinking a good > bit about security. Does MySQL AB/Sun/Oracle maintain a page similar > to http://www.postgresql.org/support/security.html which lists > security issues and what releases they effected? > > -- > Rob Wultsch > wult...@gmail.com > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=mgai...@hotmail.com > _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
Re: Security issues
On Wed, 2004-01-14 at 13:32, Chris W wrote: > Are there many php or mysql configuration considerations for making the > site secure? I have already done the obvious with my sql and set up the > grant tables with passwords for all users and removed the [EMAIL PROTECTED] user. Give the MySQL user you're using only the minimum permissions. I doubt your web app will need to ALTER table structures for example. I like to use privilege separation. In my code I have different MySQL users with different permission. One might have read-write access (SELECT, INSERT, UPDATE etc.) and another has read-only. I then use these users appropriately throughout my code. For example, a script that searches a table uses the read-only user. Then no matter how clever the attacker is, they won't be able to DELETE all my data by exploiting that code. John. -- GPG: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047 URL: http://www.johnleach.co.uk signature.asc Description: This is a digitally signed message part
re: Re: Security issues with LOAD DATA
This also does not enable me to upload a data file. My resulting SQL cardrdc> statement reads: cardrdc> LOAD DATA LOCAL '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY ',' cardrdc> ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n' cardrdc> I have also tried: cardrdc> LOAD DATA LOCAL INFILE '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY cardrdc> ',' ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n' And? What did you get? Error or what? cardrdc> My hosting provider claims that I have no choice in this matter because of cardrdc> the security reference you have noted. However I find it hard to believe cardrdc> that this privilege can't be granted on a user by user basis as you would cardrdc> GRANT INSERT, DELETE...and so on. File privilege for LOAD DATA is a global level privilege. -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net <___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Security issues with LOAD DATA
This also does not enable me to upload a data file. My resulting SQL statement reads: LOAD DATA LOCAL '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY ',' ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n' I have also tried: LOAD DATA LOCAL INFILE '/tmp/phpgPhl51' INTO TABLE test FIELDS TERMINATED BY ',' ENCLOSED BY '"' ESCAPED BY '\\' LINES TERMINATED BY '\r\n' My hosting provider claims that I have no choice in this matter because of the security reference you have noted. However I find it hard to believe that this privilege can't be granted on a user by user basis as you would GRANT INSERT, DELETE...and so on. I am also puzzled that I have the ability to perform this task from the phpmyadmin utility provided with my hosting account. Regards, Chris - Original Message - From: "Egor Egorov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 03, 2002 5:50 AM Subject: re: Security issues with LOAD DATA > Chris, > Tuesday, December 03, 2002, 6:58:39 AM, you wrote: > > CW> I developed a PHP application where users can update a mySQL table using > CW> LOAD DATA. Recently I installed this application on another web server where > CW> the File Permissions have been set such that this method of uploading data > CW> is no longer valid. Since phpMyAdmin is not an option I am trying to find an > CW> alternative or workaround such that users can upload a comma delimited text > CW> file containing the table records. > > If user doesn't have FILE privilege you can use LOAD DATA LOCAL, but > in this case you should enable something: > http://www.mysql.com/doc/en/LOAD_DATA_LOCAL.html > > > > > -- > For technical support contracts, goto https://order.mysql.com/?ref=ensita > This email is sponsored by Ensita.net http://www.ensita.net/ >__ ___ ___ __ > / |/ /_ __/ __/ __ \/ /Egor Egorov > / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] > /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ><___/ www.mysql.com > > > > > - > Before posting, please check: >http://www.mysql.com/manual.php (the manual) >http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
re: Security issues with LOAD DATA
Chris, Tuesday, December 03, 2002, 6:58:39 AM, you wrote: CW> I developed a PHP application where users can update a mySQL table using CW> LOAD DATA. Recently I installed this application on another web server where CW> the File Permissions have been set such that this method of uploading data CW> is no longer valid. Since phpMyAdmin is not an option I am trying to find an CW> alternative or workaround such that users can upload a comma delimited text CW> file containing the table records. If user doesn't have FILE privilege you can use LOAD DATA LOCAL, but in this case you should enable something: http://www.mysql.com/doc/en/LOAD_DATA_LOCAL.html -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net <___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php