Author - David Busby

Critical Update for Percona Server for MySQL 5.6.44-85.0

Percona Server for MySQL 8.0

This is a CRITICAL update and the fix mitigates the issues described in CVE-2019-12301. If you upgraded packages on Debian/Ubuntu to 5.6.44-85.0-1, please upgrade to 5.6.44-85.0-2 or later and reset all MySQL root passwords.
 
Issue
On 2019-05-18 Percona discovered an issue with the Debian/Ubuntu 5.6.44-85.0-1 packages for Percona Server for MySQL. When the previous versions, […]

Read more

Upcoming Webinar Thurs 3/14: Web Application Security – Why You Should Review Yours

Please join Percona’s Information Security Architect, David Bubsy, as he presents his talk Web Application Security – Why You Should Review Yours on March 14th, 2019 at 6:00 AM PDT (UTC-7) / 9:00 AM EDT (UTC-4).
Register Now
In this talk, we take a look at the whole stack and I don’t just mean LAMP.
We’ll cover […]

Read more

Deprecation of TLSv1.0 2019-02-28

end of Percona support for TLS1.0

Ahead of the PCI move to deprecate the use of ‘early TLS’, we’ve previously taken steps to disable TLSv1.0.
Unfortunately at that time we encountered some issues which led us to rollback these changes. This was to allow users of operating systems that did not – yet – support TLSv1.1 or higher to download Percona packages over […]

Read more

Percona Responds to MySQL LOCAL INFILE Security Issues

LOCAL INFILE Security

In this post, we’ll cover Percona’s thoughts about the current MySQL community discussion happening around MySQL LOCAL INFILE security issues.
This post is released given the already public discussion of this particular issue, with the exploitation code currently redacted to ensure forks of MySQL client libraries have sufficient time to implement their response strategies.
This post […]

Read more

Another Day, Another Data Leak

another day another data leak Exactis

In the last few days, there has been information released about yet another alleged data leak, placing in jeopardy “…[the] personal information on hundreds of millions of American adults, as well as millions of businesses.” In this case, the “victim” was Exactis, for whom data collection and data security are core business functions.
Some takeaways […]

Read more

MySQL Ransomware: Open Source Database Security Part 3

MySQL Ransomware

This blog post examines the recent MySQL® ransomware attacks, and what open source database security best practices could have prevented them.
Unless you’ve been living under a rock, you know that there has been an uptick in ransomware for MongoDB and Elasticsearch deployments. Recently, we’re seeing the same for MySQL.
Let’s look and see if this is MySQL’s fault.
Other […]

Read more

Docker Security Vulnerability CVE-2016-9962

CVE-2018-19039

Docker 1.12.6 was released to address CVE-2016-9962. CVE-2016-9962 is a serious vulnerability with RunC.
Quoting the coreos page (linked above):
“RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes […]

Read more

CVE-2016-6225: Percona Xtrabackup Encryption IV Not Being Set Properly

Pepper.com

If you are using Percona XtraBackup with
xbcrypt to create encrypted backups, and are using versions older than 2.3.6 or 2.4.5, we advise that you upgrade Percona XtraBackup.
Note: this does not affect encryption of encrypted InnoDB tables.
CVE-2016-6225
Percona XtraBackup versions older than 2.3.6 or 2.4.5 suffered an issue of not properly setting the Initialization Vector (IV) for encryption. This could […]

Read more

Percona responds to CVE-2016-6663 and CVE-2016-6664

CVE-2016-9962

Percona has addressed CVE-2016-6663 and CVE-2016-6664 in releases of Percona Server for MySQL and Percona XtraDB Cluster.
Percona is happy to announce that the following vulnerabilities are fixed in current releases of Percona Server for MySQL and Percona XtraDB Cluster:

CVE-2016-6663: allows a local system user with access to the affected database in the context of a […]

Read more

Percona Server Critical Update CVE-2016-6662

CVE-2018-19039

This blog is an announcement for a Percona Server update with regards to CVE-2016-6662.
We have added a fix for CVE-2016-6662 in the following releases:

Percona Server 5.5.51-38.1
Percona Server 5.5.51-38.2
Percona Server 5.6.32-78.0
Percona Server 5.6.32-78.1
Percona Server 5.7.14-7
Percona Server 5.7.14-8
Percona XtraDB Cluster 5.5.41-25.12
Percona XtraDB Cluster 5.6.30-25.16.2
Percona XtraDB Cluster 5.6.30-25.16.3

From seclist.org:
An independent research has revealed multiple severe MySQL vulnerabilities. This […]

Read more