Security vulnerability in MySQL/MariaDB
在知道用户名的情况下(如root),直接反复重试(平均大约256次)即可登入。

近日,在MySQL和MariaDB中爆出了一个严重的安全漏洞:在知道用户名的情况下,直接反复重试即可登入。版本受影响情况:MariaDB
和 MySQL 5.1.61、5.2.11、5.3.5 和 5.5.22 之前的版本受影响。MariaDB
5.1.62、5.2.12、5.3.6 和 5.5.23 之后的版本不受影响。MySQL
5.1.63、5.5.24、5.6.6 之后的版本不受影响。这个 Bug
在官方编译的版本中没有发现。如果你是下载的源码,然后自己编译的就有可能遇到这个问题。这个问题和
memcmp() 这个函数的返回值有关系。目前知道的情况来看,gcc 自带的 memcmp
是安全的,BSD libc 的 memcmp 是安全的。Linux glibc sse 优化过的 memcmp
会有这个问题。
详细信息:

—update 分割线

  1. 由于yum 下载过慢,采用了在windows 下把
    大的两个rpm 包 server/client  预先下载好

  2. 上传至centos

  3. yum 源 的repos
    文件一样要设置(同下文)

  4. yun install
     MariaDB-10.1.25-centos7-x86_64-server.rpm  
     MariaDB-10.1.25-centos7-x86_澳门新葡萄京所有网站 ,64-client.rpm   时报  GPG key retrieved
    failed :[Errno 14]]

受影响的版本:

5. 解决方法为 更改3. 的repos 文件

把gpgcheck=1改为gpgcheck=0

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are
vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

How to Upgrade MariaDB 5.5 to MariaDB 10.1 on CentOS/RHEL 7 and Debian Systems

Upgrade MariaDB 5.5 to MariaDB 10.1 on
RHEL/CentOS 7

详情请点击这里

转载自  

============== 补充说明 ==================

What’s new

Few new features have been added in this version and you can see them
below:

  1. Galera, a multi-master cluster solution is now standard part of
    MariaDB.
  2. Added two new information schema tables added for better examining
    wsrep information. The tables in question
    are WSREP_MEMBERSHIP and WSREP_STATUS.
  3. Page compression for InnoDB and XtraDB. Page compression is similar
    to InnoDB COMPRESSED storage format.
  4. Page compression for FusionIO.
  5. Few optimization tweaks included are:
    1. Don’t create .frm files for temporary tables
    2. Use the MAX_STATEMENT_TIME to abort long running queries
      automatically
    3. malloc() function is used less and simple queries are executed
      faster
    4. Webscale patches
  6. Plugins update
  7. Security fixes (Many vulnerabilities have been addressed).

In this tutorial we are going to show you how to upgrade MariaDB
5.5 to MariaDB 10.1 latest stable version. You will need to have root
access to the machine, where you will be performing the upgrade.

Note that if you are running earlier version of MariaDB the recommended
course of upgrading is by going through each version. For
example MariaDB 5.1 -> 5.5 -> 10.1.

这个 Bug
在官方编译的版本中没有发现。如果你是下载的源码,然后自己编译的就有可能遇到这个问题。

Step 1: Backup or Dump All MariaDB Databases

As always when performing an upgrade creating backup of your existing
databases is important. You can either dump the databases with command
such:

# mysqldump -u root -ppassword --all-databases > /tmp/all-database.sql

Or alternatively, you can stop the MariaDB service with:

# systemctl stop mysql

And copy the databases directory in a separate folder like this:

# cp -a /var/lib/mysql/ /var/lib/mysql.bak

In case of failure of the upgrade you can use one of the above copies to
restore your databases.

这个问题和 memcmp() 这个函数的返回值有关系。目前知道的情况来看,gcc
自带的 memcmp 是安全的,BSD libc 的 memcmp 是安全的。Linux glibc sse
优化过的 memcmp 会有这个问题。

Step 2: Add the MariaDB Repository

A good practice is to make sure your packages are up to date before
making any changes to your repo files. You can do this with:

# yum update          [On RHEL/CentOS 7]
# apt-get update      [On Debian/Ubuntu]

(文/开源中国)    

On RHEL/CentOS 7

If you have any old packages, wait for the installation to finish. Next,
you will need to add theMariaDB 10.1 repo for CentOS/RHEL 7/
distributions. To do this, use your favorite text editor such
as vim or nano and open the following file:

# vim /etc/yum.repos.d/MariaDB10.repo

Add the following text in it:

# MariaDB 10.1 CentOS repository list - created 2016-01-18 09:58 UTC
# http://mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Then save and exit the file (for vim :wq)

On Debian and Ubuntu

Run the following series of commands to add the MariaDB PPA on your
system:

# apt-get install software-properties-common
# apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xcbcb082a1bb943db
# add-apt-repository 'deb [arch=amd64,i386] http://kartolo.sby.datautama.net.id/mariadb/repo/10.1/ubuntu wily main'

Important: Don’t forget to replace the ubuntu wily with your
distribution name and release.

Step 3: Remove MariaDB 5.5

If you have taken backup of your databases as suggested in Step 1, you
are now ready to proceed and remove the existing MariaDB installation.

To do this, simply run the following command:

# yum remove mariadb-server mariadb mariadb-libs         [On RHEL/CentOS 7]
# apt-get purge mariadb-server mariadb mariadb-libs      [On Debian/Ubuntu]

澳门新葡萄京所有网站 1

Remove MariaDB 5.5 Version

Next, clean the repository cache:

# yum clean all          [On RHEL/CentOS 7]
# apt-get clean all      [On Debian/Ubuntu]

Step 4: Installing MariaDB 10.1

Now it’s time to install the newer version of MariaDB, by using:

# yum -y install MariaDB-server MariaDB-client      [On RHEL/CentOS 7]
# apt-get install mariadb-server MariaDB-client     [On Debian/Ubuntu]

澳门新葡萄京所有网站 2

Install MariaDB 10 on CentOS/RHEL 7

Once the installation is complete, you can start the MariaDB service
with:

# systemctl start mariadb

If you want MariaDB to automatically start after system boot, run:

# systemctl enable mariadb

Finally run the upgrade command to upgrade MariaDB with:

# mysql_upgrade

澳门新葡萄京所有网站 3

MariaDB Upgrade

To verify that the upgrade was successful, run the following command:

# mysql -V

澳门新葡萄京所有网站 4

Check MariaDB Version

Congratulations, your upgrade has been completed!

Conclusion

MariaDB/MySQL upgrades are always tasks that should be performed with
extra caution. I hope yours completed smoothly. If you encounter any
issues, please do not hesitate to post a comment.