Comments on: My take on privatized MySQL security bugs https://shlomi-noach.github.io/blog/mysql/my-take-on-privatized-mysql-security-bugs Blog by Shlomi Noach Thu, 08 Nov 2012 20:08:48 +0000 hourly 1 https://wordpress.org/?v=5.3.3 By: Mark Callaghan https://shlomi-noach.github.io/blog/mysql/my-take-on-privatized-mysql-security-bugs/comment-page-1#comment-132191 Thu, 08 Nov 2012 20:08:48 +0000 https://shlomi-noach.github.io/blog/?p=5735#comment-132191 What fraction of new bugs are crashing bugs? I understand marking security bugs private for some time, but if all crashing bugs are security bugs and all security bugs remain private for some long period of time then I think the community loses something and Oracle/MySQL eventually loses too.

]]> By: Sergei Petrunia https://shlomi-noach.github.io/blog/mysql/my-take-on-privatized-mysql-security-bugs/comment-page-1#comment-132027 Thu, 08 Nov 2012 08:31:20 +0000 https://shlomi-noach.github.io/blog/?p=5735#comment-132027 > crashing bugs can be treated as security bugs since a crash is a form of Denial of Service

99.9% of the crashes can only be triggered by a user who is logged in, and has permissions to do some actions. For example: judging from description of bug#67315, one needs to be able to create/invoke stored functions in order to cause the crash.

Well, if a user is logged in to MySQL, he can cause a DoS. This has been known for years. Popular blogs have provided examples how to cause a DoS:
http://www.mysqlperformanceblog.com/2008/11/28/mysql-for-hosting-providers-how-do-they-manage/

If Oracle has considered this to be a problem worth paying attention to, I suspect we would have seen some development in that direction, like per-user quotas of memory/CPU/IO usage and stuff like that.
I have not heard of them developing anything like that.

]]>