Oracle has released the Critical Patch Update (CPU) for July
2014. The Oracle MySQL Risk Matrix lists 10 security
fixes.
It took me some time to understand the subcomponent names. So
here is the list with the full name of each subcomponent:
| Subcomponent | Full name |
| SRFTS | Server: Full Text Search |
| SRINFOSC | Server: INFORMATION_SCHEMA |
| SRCHAR | Server: Character sets |
| ENARC | Engine: Archive |
| SROPTZR | Server: Optimizer |
Call for papers for Percona
Live London 2014 is open. For the fourth consecutive year,
PLUK is going to be one of the best community event in
Europe.
I have the honour of being conference committee chairman and the
hard task to reviewing the talks with my colleagues of the
committee.
First, let me introduce the committee members:
Amazing, isn’t it?! I think we couldn’t have a better
committee for a community event.
I’m very glad to take part in the adventure with you guys!
And if you wonder what the committee does, …
[Read more]Most MySQL-ers quickly learn to move logs out of the data directory. Hopefully the logs are being written to a different disk, on a different controller than where the data is being kept. The horror of finding you database server dead to the world because the single partition used for everything was filled up by the error log should be a thing of the past. MySQL 5.7 will give DBAs better control of log files,
As of 5.7.2, we have gained the ability to control the verbosity
of error messages with log_error_verbosity. This
system variable controls verbosity in writing error, warning, and
note messages to the error log. A value of 1 provides errors
only, 2 adds warnings, and 3 adds notes. The default value is 3.
And with that with level 3, aborted connections and access-denied
errors for new connection attempts are written to the error log.
The good ol’ log_warnings is being deprecated in
favor of the added …
I don’t normally quote The Register, but I was clearing tabs and found this article: 350 DBAs stare blankly when reminded super-users can pinch data. It is an interesting read, telling you that there are many Snowden’s in waiting, possibly even in your organisation.
From a MariaDB standpoint, you probably already read that column level encryption as well as block level encryption for some storage engines are likely to come to MariaBD 10.1 via a solution by Eperi. However with some recent breaking news, Google is also likely to do this – see this thread about …
[Read more]Keeping user account details secure is always at the forefront of a Database Administrator's mind. However, users want to get up and running as soon as possible without complex login procedures.
You can learn more about this and many other topics in the MySQL for Database Administrator course.
For example, MySQL 5.6.6 introduced a new utility: mysql_config_editor, which makes secure access via MySQL client applications much easier to establish, while still providing a good measure of security.
The mysql_config_editor stores a user's authentication details in an encrypted login file called mylogin.cnf. This login file is readable and writable for the user who invokes the utility, and invisible to everyone else. You can use it to collect all your …
[Read more]A series of related discussions triggered by difficulty in setting passwords via scripts using the mysql command-line client when an account has an expired password caused me to look into the interaction between expired passwords and batch mode, and this blog post resulted. I hope it’s a useful explanation of the behavior and the workaround to those troubled by it, and amplifies the excellent documentation in the user manual.
The ability to flag accounts as having expired passwords first appeared in MySQL 5.6, with further …
[Read more]Database auditing is the monitoring of selected actions of database users. It doesn’t protect the database in case privileges are set incorrectly, but it can help the administrator detect mistakes.
Audits are needed for security. You can track data access and be alerted to suspicious activity. Audits are required for data integrity. They are the only way to validate that changes made to data are correct and legal.
There are several regulations that require database audits:
MySQL …
[Read more]Howto run privacyIDEA with Apache2 and MySQL On Ubuntu 14.04 LTS
We use the latest 1.0dev0of privacyIDEA. It is available via the python package index or via github.
MySQL 5.7.4 has added two fields to the mysql.user table — password_last_changed, a timestamp and password_lifetime, a small but unsigned integer. Several blogs ago I started to cobble together a password expiration tracking script before these two columns were added. But I could see three ways of tracking expired passwords but none of them were palatable. Todd Farmer was working on a similar idea.
So when you run mysql_upgrade after upgrading to 5.7.4, you will find these two new columns. The password_last_changed will be set to the time you ran the upgrade and password_lifetime will be set to null.
You can set global password lifetime policy in the options
file.
[mysqld]
default_password_lifetime=180
So 180 is about six months and zero would set a never expire …
April 10, 2014 By Severalnines
In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.
Background
If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: http://heartbleed.com for more details.
By default, our database deployment script enables SSL encryption for the Apache web server on the Controller host with a generated private SSL key and a self-signed certificate. SSL encryption is used between the UI and the Controller REST API if you have clusters added with HTTPS, which we do by default. The content that is encrypted …
[Read more]