Booking.com_logo_blue_cyan_small_pantone

The MariaDB Foundation Board has been meeting monthly since February and on Monday this week had the third meeting of the year. Here is an update on a couple of things from the meeting.

We’re happy to announce that Booking.com has renewed their support to the foundation. As a major corporate sponsor Booking.com has been offered a seat on the Foundation board. Booking.com nominated Eric Herman.  Eric has a history with MySQL dating from 2004 where he joined MySQL working on the server and tools.  In 2010, Eric joined Booking.com where he works on database scaling challenges and BigData. As a community member, he has contributed to the perl MySQL client driver, the perl interpreter, and other Free Software.  To represent community and industry interests in line with the Foundation mission, Eric Herman has joined the Board.

The current Members of the Board ordered by last name are:

  • Sergei Golubchik, Chief Architect, MariaDB Corporation
  • Eric Herman, Principal Developer, Booking.com
  • Espen Håkonsen, CIO of Visma and Managing Director of Visma IT & Communications
  • Rasmus Johansson (Chair), VP Engineering, MariaDB Corporation
  • Michael Widenius, CTO, MariaDB Foundation
  • Jeremy Zawodny, Software Engineer, Craigslist

Last but not least secretary of the Board is the Foundation’s CEO Otto Kekäläinen.

The list of corporate sponsors so far this year are:

In case your company is interested to support the MariaDB project through the MariaDB Foundation please contact ”foundation ‘at’ mariadb (dot) org”.

It might be of interest that the mariadb.org website is getting a facelift to both look more appealing but also include more relevant information about the project and the Foundation. More about that later.

Last  week, a SSL connection security vulnerability was reported for MySQL and MariaDB. The vulnerability states that since MariaDB and MySQL do not enforce SSL when SSL support is enabled, it’s possible to launch Man In The Middle attacks (MITM). MITM attacks can capture the secure connection and turn it into an insecure one, revealing data going back and forth to the server.

Issue resolution in MariaDB is visible through the corresponding ticket in MariaDB’s tracking system (JIRA): https://mariadb.atlassian.net/browse/MDEV-7937

The vulnerability affects the client library of the database server in both MariaDB and MySQL. But, the vulnerability does not affect all the libraries, drivers or connectors for establishing SSL connections with the server.

The vulnerability exists when the connection to the server is done through the client library libmysqlclient. This client library is provided with the database server and is a fork of the corresponding client library in MySQL. The client library is used by probably the most used tool, the MySQL Command-Line tool of which a forked version is shipped with MariaDB.

In addition to libmysqlclient, the MariaDB project provides the following connectors:

These connectors also support SSL connections to the database server and make use of the similar parameters etc. to establish secure connections. Here is an update on whether the connectors are affected or not:

  • Affected – MariaDB Connector/C is vulnerable in the same way as libmysqlclient
  • Not affected – MariaDB Connector/J does the right thing and aborts any unsecure connections if SSL is in use
  • Not affected – MariaDB Connector/ODBC does not currently support SSL

For MySQL’s Connector/J it is worth mentioning that it has two properties, “useSSL” and “requireSSL”. If “requireSSL” is selected, then unsecure connections are aborted.

Many of the tools that are used to connect to MariaDB or MySQL make use of libmysqlclient. Thus, when using these tools over an untrusted network, it’s highly recommended that you restrict network access as much as possible with normal means, even if you’re using SSL to connect to MariaDB or MySQL. Some best practices that are easy to put in place for decreasing the risk of MITM attacks include:

Finally, since we’re in the middle of fixing the vulnerability in MariaDB, we appreciate your input regarding which versions of MariaDB that should get the fix backported. For background, the SSL support in MySQL (up until 5.7) and MariaDB is not enforceable. This is the intended MySQL behavior, implemented back in 2000, and clearly documented in the MySQL reference manual as:

“For the server, this option specifies that the server permits but does not require SSL connections.

For a client program, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to permit SSL connections, an unencrypted connection is used.”

MariaDB 5.5 and 10.0 are stable versions and behave as documented – they permit SSL, but do not require it. To enforce SSL, when the appropriate options are given, will change the behavior and might break existing applications where a mix of SSL and non-SSL connections are used. In MariaDB 10.1 this is not a problem since MariaDB 10.1 is still in beta, although it is very close to release candidate status. There we will introduce the fix. As for MariaDB 5.5 and 10.0, we are collecting input to determine whether we should change the behavior of 5.5 and 10.0. Please visit our website for more details, and share your feedback at: http://info.mariadb.com/ssl-vulnerability-mysql-mariadb

The initial reports on the vulnerability can be found through these sources:

Download MariaDB 5.5.43

Release Notes Changelog What is MariaDB 5.5?

MariaDB APT and YUM Repository Configuration Generator

mariadb-seal-shaded-browntext-altThe MariaDB project is pleased to announce the immediate availability of MariaDB 5.5.43. This is a Stable (GA) release.

See the Release Notes and Changelog for detailed information on this release and the What is MariaDB 5.5? page in the MariaDB Knowledge Base for general information about the MariaDB 5.5 series.

Thanks, and enjoy MariaDB!