Category Archives: Security
Both MariaDB and MySQL have been around a long time now, and there is always a difficult balance between maintaining compatibility whilst also solving security issues that arise. With the latest bugfix releases of MariaDB, we had to break compatibility a little to improve security, but there are workarounds. We figured we should explain the reasons behind it and how to make things as painless as possible for you.
The Problem
The problem we were solving, and for various reasons we had to do it very quickly, is that it is possible to generate a malicious MariaDB dump file which could execute shell commands from the MariaDB client.
…
SSL (let’s call it that, even though SSL 2.0 and SSL 3.0 were long replaced by TLS 1.0–1.3 protocols) support was implemented in MySQL in 2001, so MariaDB (born in 2009) always had it. But over more than twenty years of SSL support there was one huge problem with it. It required tedious manual configuration, so most users never bothered and accepted the fact that their queries and data were sent unprotected. Which might have been slightly risky in 2001, but is definitely reckless in 2023.
The traditional approach
Let’s see. First, the user installing MariaDB or MySQL has to generate a private key and a certificate.
…
Continue reading “Mission Impossible: Zero-Configuration SSL”
Let’s say you are a Cloud Service Provider, with many customers – each having many MariaDB Server users and databases. What if several such customers could share a single instance of MariaDB Server? That’s what we call the catalog feature, a feature that – if implemented – could potentially save lots of resources (and thus costs!) in a number of high-end use cases.
How the idea was born
At CloudFest 2023 near Frankfurt in March, we had in-depth meetings with a number of heavy MariaDB Server users – ones that one best would describe as Cloud Service Providers (CSPs).
…
Continue reading “Multi-tenancy through catalogs in MariaDB Server”
Things happen, schedules change. I don’t want to bother you with details, so you’ll have to take my word for it: Events related to Russia invading Ukraine have caused us to delay our Security themed MariaDB Server Fest with a week, from Wed 30 March to Wed 6 April 2022.
This is probably the mildest of the consequences of the ongoing war. Nonetheless, we apologise for the inconvenience.
…
Continue reading “Delaying Server Fest until Wed 6 April 2022”
Mark your calendars! On Wed 30 March 2022 Wed 6 April 2022, we will have the first MariaDB Server MiniFest of the year. The theme of the day is security, in all its shapes and forms – as long as it is relevant to the MariaDB Server user base.
Call for Papers
Submit your paper by 1 March 2022, if your work on security is of interest to the MariaDB ecosystem. We have ongoing discussions with a number of great presenters already, but submissions are welcome.
…
Continue reading “Security: MariaDB Server MiniFest 30 March 2022 – CfP”
Requiescat in pace. May MariaDB 5.5 rest in peace!
As the maintenance policy of the MariaDB Foundation states, we are committed to maintaining each release for 5 years. MariaDB 5.5 was announced for General Availability on 11 April 2012, so EOL was originally on 11 April 2017. At that point, we extended it by three years, due to its widespread usage in distributions.
Today, we have 11 April 2020, so this is no accidental, sudden death. Everyone could see it coming.
One Final Release MariaDB 5.5.68
However, we have decided to build one final release MariaDB 5.5.68, with remaining security updates.
…
MariaDB deployments hold vast amounts of sensitive data such as intellectual property, state secrets, healthcare and financial records. HIPAA, GDPR and other government regulations require even more stringent protections and disclosures. Achieving post-compromise protection is seen as a necessary new tool available to DevOps teams.
At the first MariaDB Day in Brussels on February 2nd, Virgil Security’s CTO and co-founder Dmitry Dain presented a MariaDB demo based on the Virgil PureKit security framework that can protect stored passwords, PII and any other sensitive data even if the database had been breached – making it worthless to the attacker in the face of offline attacks (read more about security benefits in this blog post). …
Continue reading “Enable post-compromise data protection with MariaDB and Virgil Security’s PureKit”
MariaDB Server 10.4 came with a whole lot of Security related changes. Some of them are merely optimizations (like MDEV-15649), some improve existing features to be more robust (MDEV-15473, MDEV-7598) or convenient (MDEV-12835, MDEV-16266). Some are MySQL compatibility features, requested by our users (MDEV-7597, MDEV-13095).
But the first thing any MariaDB Server user, whether an experienced veteran or a newbie, does — before even issuing the first SQL statement — is logging in. Authenticating to the database server. …
Continue reading “Authentication in MariaDB 10.4 — Understanding the Changes”