Delaying Server Fest until Wed 6 April 2022

Things happen, schedules change. I don’t want to bother you with details, so you’ll have to take my word for it: Events related to Russia invading Ukraine have caused us to delay our Security themed MariaDB Server Fest with a week, from Wed 30 March to Wed 6 April 2022.

This is probably the mildest of the consequences of the ongoing war. Nonetheless, we apologise for the inconvenience.

Security: MariaDB Server MiniFest 30 March 2022 – CfP

Mark your calendars! On Wed 30 March 2022 Wed 6 April 2022, we will have the first MariaDB Server MiniFest of the year. The theme of the day is security, in all its shapes and forms – as long as it is relevant to the MariaDB Server user base.

Call for Papers

Submit your paper by 1 March 2022, if your work on security is of interest to the MariaDB ecosystem. We have ongoing discussions with a number of great presenters already, but submissions are welcome.

MariaDB 5.5 R.I.P.

Requiescat in pace. May MariaDB 5.5 rest in peace!

As the maintenance policy of the MariaDB Foundation states, we are committed to maintaining each release for 5 years. MariaDB 5.5 was announced for General Availability on 11 April 2012, so EOL was originally on 11 April 2017. At that point, we extended it by three years, due to its widespread usage in distributions.

Today, we have 11 April 2020, so this is no accidental, sudden death. Everyone could see it coming.

One Final Release MariaDB 5.5.68

However, we have decided to build one final release MariaDB 5.5.68, with remaining security updates.

Enable post-compromise data protection with MariaDB and Virgil Security’s PureKit

MariaDB deployments hold vast amounts of sensitive data such as intellectual property, state secrets, healthcare and financial records. HIPAA, GDPR and other government regulations require even more stringent protections and disclosures. Achieving post-compromise protection is seen as a necessary new tool available to DevOps teams.

At the first MariaDB Day in Brussels on February 2nd, Virgil Security’s CTO and co-founder Dmitry Dain presented a MariaDB demo based on the Virgil PureKit security framework that can protect stored passwords, PII and any other sensitive data even if the database had been breached – making it worthless to the attacker in the face of offline attacks (read more about security benefits in this blog post). …

Authentication in MariaDB 10.4 — Understanding the Changes

MariaDB Server 10.4 came with a whole lot of Security related changes. Some of them are merely optimizations (like MDEV-15649), some improve existing features to be more robust (MDEV-15473, MDEV-7598) or convenient (MDEV-12835, MDEV-16266). Some are MySQL compatibility features, requested by our users (MDEV-7597, MDEV-13095).

But the first thing any MariaDB Server user, whether an experienced veteran or a newbie, does — before even issuing the first SQL statement — is logging in. Authenticating to the database server. …

MariaDB on HackerOne

We are pleased to announce the launch of our public bug bounty program on the HackerOne platform:

https://hackerone.com/mariadb

The aim for this program is two fold:

  1. Review the vulnerability submission channels, guidelines and policy for responsible disclosure, as well as asset identification and vulnerability handling process on our side.
  2. Encourage researchers to look for vulnerabilities in MariaDB code and have a way to incentivize reporting in accordance with the responsible disclosure model.

Goal no.1 resulted in changes to our general vulnerability classification process described at mariadb.org/about/security-policy/.  We now have two kinds of vulnerabilities, Critical and Medium severity, as well as a policy that should act as a guideline to the reporter as well as our team to ensure proper vulnerability management. …

MyISAM and KPTI – Performance Implications From The Meltdown Fix

Recently we had a report from a user who had seen a stunning 90% performance regression after upgrading his server to a Linux kernel with KPTI (kernel page-table isolation – a remedy for the Meltdown vulnerability). (more…)

Who are you? The history of MySQL and MariaDB authentication protocols from 1997 to 2017

MySQL 3.20 to 4.0

In the good old days, when 32MB of RAM justified the name my-huge.cnf, when nobody knew Google and Facebook didn’t even exist, security was… how do I put it… kind of cute. Computer viruses didn’t steal millions and didn’t disrupt elections — they played Yankee Doodle or told you not to play with the PC. People used telnet and ftp, although some security conscious admins already knew ssh.

Somewhere around this time, give or take a few years, MySQL was born. And it had users, who had to be kept away from seeing others’ data, but allowed to use their own. …