Posts Tagged ‘Security’

MariaDB Server GA’s supported for 5 years

There was some discussion a while back to maybe make MariaDB Server follow the Ubuntu release model, i.e. having a Long Term Release (LTS) and then having a few regular fast releases with a shorter support cycle.

However its good to note that the decision now going forward is to support each and every GA release for a period of five (5) years. However, regular releases will only happen for the latest three (3) GA releases, so at this moment, you are getting updates for MariaDB Server 5.5/10.0/10.1.

Practically, we’ve not seen an update for 5.1/5.2/5.3 since 30 Jan 2013 at the time of this writing. And its clear MariaDB Server 5.5 will have an extended support policy, as it ships in Red Hat Enterprise Linux 7. 

At this time it’s worth noting that for MySQL 5.5, premier support ends December 2015, while there is extended support till December 2018.

Voting for talks at the Percona Live Data Performance Conference 2016

So this year the Percona Live conference has a new name – it is the “Data Performance Conference” (presumably for a much broader appeal and the fact that Percona is now in the MongoDB world as well). And the next new thing to note? You have to go through a process of “community voting”, i.e. the speaker has to promote their talks before via their own channels to see how many votes they can get (we tried this before at the MySQL & Friends Devroom at FOSDEM; in this case, please remember you also need to create a new account and actually vote while logged in).

I hope you vote for Sergei, Monty and my proposals!

  1. Using and Managing MariaDB – a tutorial, which has been referred to as The Complete MariaDB Server tutorial, I thought I will change the name up a little, in addition to the content. The most recent version of this tutorial was given at the Percona Live Conference in Santa Clara in 2015 (slides). Since then we’ve released MariaDB Server 10.1, and there’s much more new things to talk about!
  2. MariaDB 10.1 – What’s New? – a talk that would have Michael “Monty” Widenius (creator of MySQL and MariaDB) and me give it together. I’ve described this as a dance, and the last time we did this was at Percona Live Amsterdam. The content will of course be new, and I am creating the slide deck this time around.
  3. Databases in the Hosted Cloud – this is a pet talk. It costs some money to make, and if accepted I plan to also showcase who has better performing hosted databases. I did this at Percona Live Amsterdam 2015 (slides), but since then we’ve seen Amazon offering MariaDB Server as part of RDS, HPCloud being sunset, and also Rackspace upping their offering with High Availability Databases. More research to be done from now till then!
  4. Best Practices for MySQL High Availability – this would be another tutorial, and at Percona Live Amsterdam 2015 it had the highest registered attendance (Kortney told me the day before and I removed all practicals, since 100+ people with practicals is impossible for one person to manage – slides). I think with the changes in NDBCLUSTER (recently announced at OpenWorld), the addition of tools in the MHA world (mha-helper), this should have a lot of new information (and more importantly a lot of new things to play with).
  5. Choosing a MySQL HA solution today – a talk based on the above tutorial, cut short, to ensure people whom are not at tutorial day, will have solutions to think about and take home for implementation in the future.
  6. MariaDB/MySQL security essentials – a talk which focuses on improvements in MariaDB Server 10.1, and MySQL 5.6/5.7, including encryption at rest, easier SSL setup for replication topologies, and even external authentication plugins (eg. Kerberos is almost ready – see MDEV-4691).
  7. The MySQL Server Ecosystem in 2016 – a talk about MySQL and the forks around it, including the private trees that exist (some like the Twitter tree haven’t been updated in a while, but clearly have made inroads in giving us new features). Learn what to use, and what is the best one for your use case. 
  8. MariaDB Connectors: Fast and Smart with the new protocol optimizations – a talk from Sergei Golubchik, about new protocol optimisations in MariaDB Server as well as how we optimise this from the connectors as well.
  9. MariaDB 10.1 Security: Validation, Authentication, Encryption – a talk from Sergei Golubchik focusing on MariaDB 10.1 security improvements; he’s got some amazing slides on encryption that I saw at Percona Live Amsterdam, and you can see a five-minute lightning version from the meetup.

Here’s to happy voting and I hope to give at least some of these talks (if not all!).

On-disk/block-level encryption for MariaDB

I don’t normally quote The Register, but I was clearing tabs and found this article: 350 DBAs stare blankly when reminded super-users can pinch data. It is an interesting read, telling you that there are many Snowden’s in waiting, possibly even in your organisation. 

From a MariaDB standpoint, you probably already read that column level encryption as well as block level encryption for some storage engines are likely to come to MariaBD 10.1 via a solution by Eperi. However with some recent breaking news, Google is also likely to do this – see this thread about MariaDB encryption on maria-discuss. 

Google has already developed on-disk/block-level encryption for InnoDB, Aria (for temporary tables), binary logs and temporary files. The code isn’t published yet, but will likely happen soon, so clear benefits of open source development principles. 

Elsewhere, if you’re trying to ensure good policies for users, don’t forget to start with the audit plugin and roles.

2-factor authentication and time

Flinders Street StationI use Google Authenticator for 2-factor authentication for some of the services I access. I had trouble accessing some of my sites due to getting an invalid token, and I was wondering what was going on.

Turns out, the time on my phone was off. You need to let the network set the time, and you will suddenly be generating sensible codes again. This is documented for Android (you can do this within the app), but on iOS it is a system-wide setting.

Security fixes in MySQL & critical patch updates

This is the third time MySQL has made an entry into the Oracle Critical Patch Update Advisory service. The first time, we at Team MariaDB came up with an analysis: Oracle’s 27 MySQL security fixes and MariaDB.

Security is important to a DBA. Having vague explanations does no one any good. Even Oracle ACE Director Ronald Bradford chooses to ask some tough questions on this issue. Recently we found a bug in MySQL & MariaDB and did some responsible disclosure as well. 

Security is a big deal to distributions shipping MySQL. It comes alongside having a good, accessible bugs system. Recall a discussion a while back about possibly even replacing MySQL with MariaDB (this led to a fun discussion and a long meeting at UDS Oakland to ensure choice).

These discussions always come back. Today on the Debian mailing list, the suggestion popped back up again. I’m sure it will pop up again in October when the next CPU includes some fixes in MySQL…

What is Oracle going to do about this? Will it start being more open (not with a select few folk, but with the wider community)?

MySQL with yaSSL vulnerability

It’s worth noting that if you’re using MySQL 5.0/5.1, with SSL enabled, and you’re using yaSSL as opposed to OpenSSL, you’re vulnerable to CVE-2009-4484. Its a buffer overflow, that works over TCP, via the MySQL port, 3306. Lenz furnished us with some information, and the patch is available. You’ll see this rocking when MySQL 5.1.43 gets released.

It affects Debian (presumably, it will also affect Ubuntu). Red Hat/CentOS is spared, because instead of using yaSSL, OpenSSL is used.

MariaDB 5.1.41-rc (based on MySQL 5.1.41) which was just released a few days ago, naturally is also affected. The next release candidate might potentially be rebased against 5.1.42 (the builds are already ready, from what I understand), and will include this patch.

Some yaSSL trivia: did you know that one of the two co-founders of the project, is actually Larry Stefonic? Larry was an early MySQL Ab employee, holding quite a few positions at MySQL Ab; he was the President of MySQL KK (the Japanese branch), and was also SVP for worldwide OEM sales!


i