{"id":5735,"date":"2012-11-08T08:31:16","date_gmt":"2012-11-08T06:31:16","guid":{"rendered":"http:\/\/code.openark.org\/blog\/?p=5735"},"modified":"2012-11-08T08:31:35","modified_gmt":"2012-11-08T06:31:35","slug":"my-take-on-privatized-mysql-security-bugs","status":"publish","type":"post","link":"https:\/\/code.openark.org\/blog\/mysql\/my-take-on-privatized-mysql-security-bugs","title":{"rendered":"My take on privatized MySQL security bugs"},"content":{"rendered":"<p>A couple weeks ago I submitted <a href=\"http:\/\/bugs.mysql.com\/bug.php?id=67315\">Bug\u00a0#67315: Crashing server by stored function referencing user defined variable in query<\/a>. If you press that link, you can&#8217;t see the bug (though I can as I submitted it).<\/p>\n<p>This is due to Oracle&#8217;s policy for security-related bugs. Tomas Ulin, Vice President MySQL Development at Oracle , was kind enough to discuss Oracle&#8217;s policy with me, and these are the key points as I understand them:<\/p>\n<p>Oracle&#8217;s basic approach is to protect its customers. By publicizing security-bugs, Oracle&#8217;s customers are vulnerable to black hatters attacks. Therefore Oracle takes measures and privatizes security bugs (crashing bugs can be treated as security bugs since a crash is a form of Denial of Service).<\/p>\n<p>But what of a bug reported in a RC version, as was in my case? There is no strict policy there, according to Ulin. However with a version this close to GA, it is uncertain that a specific bug would be fixed in time. It may happen, then, that a bug would find itself well into GA releases, thereby exposing customers to attacks.<\/p>\n<p>Moreover, GA bugs that are already fixed may remain private, as customers will not necessarily haste to upgrade their working servers for every bug fix.<\/p>\n<h4>My take<\/h4>\n<p>Bug privatization has disadvantages, as well:<!--more--><\/p>\n<ul>\n<li>One could be left with the knowledge that there&#8217;s some serious bug in one&#8217;s server, but with no way to defend oneself, or take measures against hitting that bug<\/li>\n<li>Forks are left outside; and for maintainer could try and tackle that bug, thereby improving the product. But with private bugs, forks just have to sit and wait idly.<\/li>\n<\/ul>\n<p>I don&#8217;t necessarily have to have a take on this, but I got curious: how do other organizations work? And very quickly, I got <a href=\"https:\/\/fedoraproject.org\/wiki\/Security\/Bugs#Embargoed_Security_Issues\">here<\/a>. And although the domain reads <em>fedoraproject.org<\/em>, this is also the RedHat Enterprise Linux way of doing it. A bug can be embargoed, even if it&#8217;s upstream.<\/p>\n<p>RedHat\/Fedora have a notion of embargo expiry time; but I don&#8217;t know exactly how that works &#8211; I did some looking but could not determine that there is a fixed expiry time at the time of embargo.<\/p>\n<p>Comparing RedHat\/Fedora&#8217;s and Oracle&#8217;s approaches, I&#8217;m not sure there&#8217;s that much of a difference. Perhaps Oracle is stricter. I did not make a thorough research, but the logic makes sense to me, which makes the policy reasonable in my view.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A couple weeks ago I submitted Bug\u00a0#67315: Crashing server by stored function referencing user defined variable in query. If you press that link, you can&#8217;t see the bug (though I can as I submitted it). This is due to Oracle&#8217;s policy for security-related bugs. Tomas Ulin, Vice President MySQL Development at Oracle , was kind [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[5],"tags":[92,51],"class_list":["post-5735","post","type-post","status-publish","format-standard","hentry","category-mysql","tag-bugs","tag-opinions"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2bZZp-1uv","_links":{"self":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/5735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/comments?post=5735"}],"version-history":[{"count":18,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/5735\/revisions"}],"predecessor-version":[{"id":5774,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/posts\/5735\/revisions\/5774"}],"wp:attachment":[{"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/media?parent=5735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/categories?post=5735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/code.openark.org\/blog\/wp-json\/wp\/v2\/tags?post=5735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}