Over the past few days extensive conversations around a new security vulnerability in MariaDB and MySQL have taken place.

It all started as a chain reaction when Monty Program publicly disclosed information about the flaw they had found and about how to make sure your MariaDB and MySQL installations can be fixed. The initial information got assigned the security vulnerabitlity identifier CVE-2012-2122 and the contents can be seen e.g. here http://seclists.org/oss-sec/2012/q2/493.

The bug was found two months ago on April 4th.

Before disclosing the information publicly, given the seriousness of this bug and considering the millions of MySQL and MariaDB installations deployed worldwide, Monty Program informed the biggest distributors of MySQL and MariaDB as a precaution.

On April 6th, Monty Program informed Oracle about it in bug report http://bugs.mysql.com/bug.php?id=64884 and provided a suggested fix.

The other big distributors of MySQL and MariaDB are the major Linux distributions that were alerted also in April and provided with a fix for old (unsupported by Oracle) MySQL versions. This gave Oracle and the Linux distributions some lead time to check if their MySQL and/or MariaDB builds were vulnerable and apply the provided fix if needed.

Whether your MySQL or MariaDB installation is vulnerable depends on where and how the binaries you use were built.

Official binaries of MariaDB, provided by Monty Program, MySQL binaries provided by Oracle and – in the case you use Percona’s provided binaries of their server – have all been tested. All these vendors have confirmed that the vulnerability isn’t present in their binaries and that it actually has never been present due to the way that the binaries are built.

All binaries listed on the SkySQL website are either official Oracle or official MariaDB binaries mirrored from dev.mysql.com/downloads and downloads.mariadb.org.

If you built your binaries yourself, you (or your database administrator) can easily test if your installation is vulnerable or not by following the instructions found e.g. here http://ronaldbradford.com/blog/repost-a-tragically-comedic-security-flaw-in-mysql-2012-06-11/.

In the case that you build or have built your own binaries another good piece of information is that the fix (getting rid of the problem independently of how you build) was first released in MariaDB in version 5.5.23 on April 10. Oracle followed by having the fix in MySQL 5.5.24 on May 7.

Most of us, MariaDB and MySQL users, do not have a need to build binaries on our own, i.e. we are on a platform that the official MariaDB and MySQL binaries are provided for and we do not have our own patches that would need to be applied before producing our own binaries.

For most of us it’s therefore recommended to get the binaries from the official channels, such as through the Linux distribution you use via the distribution’s repository or through the official download channel of the database, which in the case of MariaDB is http://downloads.mariadb.org.

Also, if you want to make sure that you’re on the latest version of MariaDB and you’re running on CentOS, Fedora, Debian, Red Hat or Ubuntu you should consider adding MariaDB’s official repository, http://downloads.mariadb.org/mariadb/repositories/.

MariaDB and/or MySQL packagers (such as Linux distributions) should make sure they sign up for the MariaDB mailing list intended for packagers at https://lists.askmonty.org/cgi-bin/mailman/listinfo/packagers to receive important notifications including early disclosure of security vulnerabilities, like this one.

During my years at MySQL AB I had the unfortunate task of manually maintaining the download page for enterprise customers. This involved a ton of boring, error prone work and almost always led to some sort of error every release. Some of our downloads were eventually replaced with an automated system written by the web team but the memory of all that time wasted still hurts me. So when I joined Monty Program and saw our downloads were manually maintained in mediawiki I knew something had to change.

Most of the websites for Monty Program and the MariaDB project are written with Django so this is where I started. I used our existing website code base and just created a new django application for downloads.  There are many models / tables involved in the system but the important ones are:

  • Releases: A list of all the releases we have made, i.e. MariaDB 5.2.7, MariaDB 5.1.55, etc
  • Files: The individual files that make up a release.
  • Mirrors: The information (name, url, location) of the MariaDB mirrors.
  • Rules: This is the heart of the system and controls how a file name gets assigned to a release and its various other attributes such as OS and release.

When a MariaDB release is ready to publish our release coordinator pushes the files to our primary mirror and tells the download management system to check for a new release. The system scans the mirror and captures the information (name, size, directory) of new files.  The system then loops through each rule in order and checks if it applies.

A rule is basically a regular expression and then a snippet of python code to run. Massive regular expressions are always a pain to work with so we try to keep the rules as simple as possible. For example, this is one of our rules.

Name: CPU – x86_64
Regex: .*x86_64.*
Code: file.cpu = ‘x86_64’

Some rules obviously are more complex, but this is a good example of what we aim for. It is easy to understand and if something needs to be changed it can be done easily. The file object in the code section is a helper object to make writing the rules easier by hiding the actual complexities of the underlying objects. I considered using some sort of rules engine but decided that added unneeded complexity (the top answer on this question helped shape my opinion: http://stackoverflow.com/questions/467738/implementing-a-rules-engine-in-python)

Once all the rules have been applied the release coordinator takes a final look and publishes the release. If there is a problem later, the whole release or individual files can be pulled.

The front end is fairly straightforward and there isn’t much to discuss but here are a few highlights:

  • The file listing is loaded via ajax so applying filters is fast.
  • Your mirror is picked by first looking at your country then your continent. If we have someone trying to download from Antarctica a random mirror will be chosen.

That in a nut shell is how our downloads system works. If anyone has any questions about it I’m happy to answer, either in the comments or Freenode #maria.