Security issues

Given the rather serious recent bug fixes I have been thinking a good
bit about security. Does MySQL AB/Sun/Oracle maintain a page similar
to http://www.postgresql.org/support/security.html which lists
security issues and what releases they effected?

--
Rob Wultsch
wultsch@gmail.com

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

RE: Security issues

--_36b3b5ba-1724-4bf2-a8f4-bfe7b5356ddb_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Good Morning Rob-

=20

one vulnerability (with UDFs)

http://dev.mysql.com/tech-resources/articles/security_alert. html


a manager considering a enterprise-wide security solution may want to consi=
der Oracle Identity Manager (with Glassfish 3.2)

http://under-linux.org/en/content/oracle-introduces-schedule -for-glassfish-=
556/

=20

Does this help?
Martin Gainty=20
______________________________________________=20
Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit=
=E9

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng=
er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter=
leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l=
ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin=
dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w=
ir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes=
pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat=
isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e=
ou la copie de ceci est interdite. Ce message sert =E0 l'information seule=
ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d=
onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation=
=2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni=
..



=20

> From: wultsch@gmail.com
> Date: Fri=2C 21 May 2010 22:50:06 -0700
> Subject: Security issues
> To: mysql@lists.mysql.com
>=20
> Given the rather serious recent bug fixes I have been thinking a good
> bit about security. Does MySQL AB/Sun/Oracle maintain a page similar
> to http://www.postgresql.org/support/security.html which lists
> security issues and what releases they effected?
>=20
> --=20
> Rob Wultsch
> wultsch@gmail.com
>=20
> --=20
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dmgainty@hotmail.com
>=20
=20
____________________________________________________________ _____
The New Busy is not the too busy. Combine all your e-mail accounts with Hot=
mail.
http://www.windowslive.com/campaign/thenewbusy?tile=3Dmultia ccount&ocid=3DP=
ID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4=

--_36b3b5ba-1724-4bf2-a8f4-bfe7b5356ddb_--

Re: Security issues

On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote:
> Good Morning=A0Rob-
>
> one vulnerability (with UDFs)
> http://dev.mysql.com/tech-resources/articles/security_alert. html
>
> a manager=A0considering=A0a enterprise-wide security solution=A0may want
> to=A0consider=A0Oracle Identity Manager (with Glassfish 3.2)
> http://under-linux.org/en/content/oracle-introduces-schedule -for-glassfis=
h-556/
>
> Does this help?
> Martin Gainty

Martin,

Thank you for the reply.

The guys across the street have a single page with cliff notes about
every vulnerability effecting every supported version*. The page I
noted was comprehensive. Martin, what you listed was a page with an
single vuln and a page which looks like a product.

The grass is looking pretty darn green on the other side of the street.

*And they support all the way back to 7.4, which is equivalent to 4.1
era. 2005 is not that long ago.
--=20
Rob Wultsch
wultsch@gmail.com

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: Security issues

--001485f1ea6a85aa360487381a6a
Content-Type: text/plain; charset=ISO-8859-1

You could use CVE, Postgre's security page doesn't seem to sync with their
CVE entries, even though they reference CVE entries on their comprehensive
security page.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

JW

On Sat, May 22, 2010 at 10:51 AM, Rob Wultsch wrote:

> On Sat, May 22, 2010 at 5:44 AM, Martin Gainty
> wrote:
> > Good Morning Rob-
> >
> > one vulnerability (with UDFs)
> > http://dev.mysql.com/tech-resources/articles/security_alert. html
> >
> > a manager considering a enterprise-wide security solution may want
> > to consider Oracle Identity Manager (with Glassfish 3.2)
> >
> http://under-linux.org/en/content/oracle-introduces-schedule -for-glassfish-556/
> >
> > Does this help?
> > Martin Gainty
>
> Martin,
>
> Thank you for the reply.
>
> The guys across the street have a single page with cliff notes about
> every vulnerability effecting every supported version*. The page I
> noted was comprehensive. Martin, what you listed was a page with an
> single vuln and a page which looks like a product.
>
> The grass is looking pretty darn green on the other side of the street.
>
> *And they support all the way back to 7.4, which is equivalent to 4.1
> era. 2005 is not that long ago.
> --
> Rob Wultsch
> wultsch@gmail.com
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=johnny@pixelated.net
>
>


--
-----------------------------
Johnny Withers
601.209.4985
johnny@pixelated.net

--001485f1ea6a85aa360487381a6a--

RE: Security issues

>-----Original Message-----
>From: Rob Wultsch [mailto:wultsch@gmail.com]
>Sent: Saturday, May 22, 2010 11:52 AM
>To: Martin Gainty
>Cc: mysql@lists.mysql.com
>Subject: Re: Security issues
>
>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote:
>> Good Morning Rob-
>>
>> one vulnerability (with UDFs)
>> http://dev.mysql.com/tech-resources/articles/security_alert. html
>>
>> a manager considering a enterprise-wide security solution may want
>> to consider Oracle Identity Manager (with Glassfish 3.2)
>> http://under-linux.org/en/content/oracle-introduces-schedule -for-glassfish-
>556/
>>
>> Does this help?
>> Martin Gainty
>
>Martin,
>
>Thank you for the reply.
>
>The guys across the street have a single page with cliff notes about
>every vulnerability effecting every supported version*. The page I
>noted was comprehensive. Martin, what you listed was a page with an
>single vuln and a page which looks like a product.
>
[JS] This is always a tough call for a software developer. On the one hand,
announcing an unfixed problem alerts users; but at the same time, it also
alerts abusers. Some companies go one way, some go the other.

Regards,

Jerry Schwartz
Global Information Incorporated
195 Farmington Ave.
Farmington, CT 06032

860.674.8796 / FAX: 860.674.8341

www.the-infoshop.com







--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: Security issues

On Mon, May 24, 2010 at 12:07 PM, Jerry Schwartz wrote:
>>-----Original Message-----
>>From: Rob Wultsch [mailto:wultsch@gmail.com]
>>Sent: Saturday, May 22, 2010 11:52 AM
>>To: Martin Gainty
>>Cc: mysql@lists.mysql.com
>>Subject: Re: Security issues
>>
>>On Sat, May 22, 2010 at 5:44 AM, Martin Gainty wrote:
>>> Good Morning Rob-
>>>
>>> one vulnerability (with UDFs)
>>> http://dev.mysql.com/tech-resources/articles/security_alert. html
>>>
>>> a manager considering a enterprise-wide security solution may want
>>> to consider Oracle Identity Manager (with Glassfish 3.2)
>>> http://under-linux.org/en/content/oracle-introduces-schedule -for-glassfish-
>>556/
>>>
>>> Does this help?
>>> Martin Gainty
>>
>>Martin,
>>
>>Thank you for the reply.
>>
>>The guys across the street have a single page with cliff notes about
>>every vulnerability effecting every supported version*. The page I
>>noted was comprehensive. Martin, what you listed was a page with an
>>single vuln and a page which looks like a product.
>>
> [JS] This is always a tough call for a software developer. On the one hand,
> announcing an unfixed problem alerts users; but at the same time, it also
> alerts abusers. Some companies go one way, some go the other.
>
> Regards,
>
> Jerry Schwartz
> Global Information Incorporated
> 195 Farmington Ave.
> Farmington, CT 06032
>
> 860.674.8796 / FAX: 860.674.8341


I explicitly do not want a list of unfixed problems. I want a list of
fixed issues and what versions are effected.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

RE: Security issues

--_5149cb2e-bb97-4d45-be39-a82cf0a90fc3_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Good Afternoon Rob-

=20

if you're implementing either glassfish or weblogic webserver=20
your "best fit solution" would be Oracle Identity Manager

=20

there are 'other' identity solutions such as RSA which are=20

1)far more complex ..
2)virtually hackproof..
at random intervals RSA implements an alternate encryption algorithm with a=
n alternate keysize


RSA issues smart cards which contain sufficient biometric information to au=
thenticate you
(and pass the authentication token to the OS)

does this help?
Martin Gainty=20
______________________________________________=20
Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit=
=E9
=20
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng=
er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter=
leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l=
ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin=
dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w=
ir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes=
pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat=
isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e=
ou la copie de ceci est interdite. Ce message sert =E0 l'information seule=
ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d=
onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation=
=2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni=
..



=20

> From: wultsch@gmail.com
> Date: Mon=2C 24 May 2010 13:27:52 -0700
> Subject: Re: Security issues
> To: jerry@gii.co.jp
> CC: mgainty@hotmail.com=3B mysql@lists.mysql.com
>=20
> On Mon=2C May 24=2C 2010 at 12:07 PM=2C Jerry Schwartz =
wrote:
> >>-----Original Message-----
> >>From: Rob Wultsch [mailto:wultsch@gmail.com]
> >>Sent: Saturday=2C May 22=2C 2010 11:52 AM
> >>To: Martin Gainty
> >>Cc: mysql@lists.mysql.com
> >>Subject: Re: Security issues
> >>
> >>On Sat=2C May 22=2C 2010 at 5:44 AM=2C Martin Gainty om> wrote:
> >>> Good Morning Rob-
> >>>
> >>> one vulnerability (with UDFs)
> >>> http://dev.mysql.com/tech-resources/articles/security_alert. html
> >>>
> >>> a manager considering a enterprise-wide security solution may want
> >>> to consider Oracle Identity Manager (with Glassfish 3.2)
> >>> http://under-linux.org/en/content/oracle-introduces-schedule -for-glas=
sfish-
> >>556/
> >>>
> >>> Does this help?
> >>> Martin Gainty
> >>
> >>Martin=2C
> >>
> >>Thank you for the reply.
> >>
> >>The guys across the street have a single page with cliff notes about
> >>every vulnerability effecting every supported version*. The page I
> >>noted was comprehensive. Martin=2C what you listed was a page with an
> >>single vuln and a page which looks like a product.
> >>
> > [JS] This is always a tough call for a software developer. On the one h=
and=2C
> > announcing an unfixed problem alerts users=3B but at the same time=2C i=
t also
> > alerts abusers. Some companies go one way=2C some go the other.
> >
> > Regards=2C
> >
> > Jerry Schwartz
> > Global Information Incorporated
> > 195 Farmington Ave.
> > Farmington=2C CT 06032
> >
> > 860.674.8796 / FAX: 860.674.8341
>=20
>=20
> I explicitly do not want a list of unfixed problems. I want a list of
> fixed issues and what versions are effected.
>=20
> --=20
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dmgainty@hotmail.com
>=20
=20
____________________________________________________________ _____
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with H=
otmail.=20
http://www.windowslive.com/campaign/thenewbusy?tile=3Dmultic alendar&ocid=3D=
PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5=

--_5149cb2e-bb97-4d45-be39-a82cf0a90fc3_--

Re: Security issues

On Mon, May 24, 2010 at 1:42 PM, Martin Gainty wrote:
> Good Afternoon=A0Rob-
>
> if you're implementing=A0either glassfish or weblogic=A0webserver
> your "best fit solution" would be Oracle Identity Manager
>
> there are 'other' identity solutions such as RSA which are
> 1)far more complex ..
> 2)virtually hackproof..
> at random intervals RSA=A0implements an alternate=A0encryption algorithm=
=A0with an
> alternate keysize
>
> RSA issues smart cards=A0which contain sufficient biometric information
> to=A0authenticate you
> (and pass the authentication=A0token to the OS)
>
> does this help?
> Martin Gainty

I am explicitly not setting up identity solutions or anything else.
All I want is a page from mysql which lists security issues.and what
versions are effected. I don't think that this is such an insane
thought...


--=20
Rob Wultsch
wultsch@gmail.com

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

RE: Security issues

--_6af321fa-8494-460b-82e3-20ee3d6948ac_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Good Morning Rob-

=20

I agree with you that security is a very serious topic and should be addres=
sed as such

Please read security alert page listed at tech-resources

http://dev.mysql.com/tech-resources/articles/security_alert. html


I hope this addresses your question=2C
Martin Gainty=20
______________________________________________=20
Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit=
=E9

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng=
er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter=
leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l=
ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin=
dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w=
ir keine Haftung fuer den Inhalt uebernehmen.

Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes=
pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat=
isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e=
ou la copie de ceci est interdite. Ce message sert =E0 l'information seule=
ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d=
onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation=
=2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni=
..



=20

> From: wultsch@gmail.com
> Date: Mon=2C 24 May 2010 13:45:35 -0700
> Subject: Re: Security issues
> To: mgainty@hotmail.com
> CC: jerry@gii.co.jp=3B mysql@lists.mysql.com
>=20
> On Mon=2C May 24=2C 2010 at 1:42 PM=2C Martin Gainty > wrote:
> > Good Afternoon Rob-
> >
> > if you're implementing either glassfish or weblogic webserver
> > your "best fit solution" would be Oracle Identity Manager
> >
> > there are 'other' identity solutions such as RSA which are
> > 1)far more complex ..
> > 2)virtually hackproof..
> > at random intervals RSA implements an alternate encryption algorithm wi=
th an
> > alternate keysize
> >
> > RSA issues smart cards which contain sufficient biometric information
> > to authenticate you
> > (and pass the authentication token to the OS)
> >
> > does this help?
> > Martin Gainty
>=20
> I am explicitly not setting up identity solutions or anything else.
> All I want is a page from mysql which lists security issues.and what
> versions are effected. I don't think that this is such an insane
> thought...
>=20
>=20
> --=20
> Rob Wultsch
> wultsch@gmail.com
>=20
> --=20
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dmgainty@hotmail.com
>=20
=20
____________________________________________________________ _____
Hotmail is redefining busy with tools for the New Busy. Get more from your =
inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=3DPID283 26::T:WLMTAGL:O=
N:WL:en-US:WM_HMP:042010_2=

--_6af321fa-8494-460b-82e3-20ee3d6948ac_--

RE: Security issues

Back when this was a day-to-day concern of mine, I used to check CERT's
website (the section now known as their "Vulnerability Notes Database",
http://www.kb.cert.org/vuls). Unfortunately, I see that the last entry for
MySQL is from years ago.

Regards,

Jerry Schwartz
Global Information Incorporated
195 Farmington Ave.
Farmington, CT 06032

860.674.8796 / FAX: 860.674.8341

www.the-infoshop.com





--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: Security issues

In infinite wisdom "Jerry Schwartz" wrote:

> Back when this was a day-to-day concern of mine, I used to check CERT's
> website (the section now known as their "Vulnerability Notes Database",
> http://www.kb.cert.org/vuls).

If securing the database is your job, then you really need to drink from
the firehose that is called "full-disclosure".

--
Raj Shekhar
-
If there's anything more important than my ego around, I want it
caught and shot now.



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org