MySQL Forums
Forum List  »  Security

Re: Comments: Kaj Arnö - How MySQL Treats Security Vulnerabilities
Posted by: Tom Donovan
Date: December 07, 2007 11:30AM

The following policy may not be the best choice for an open-source product:

"... if the security vulnerability is sent in through bugs.mysql.com, we may mark the bug private, in effect making it invisible outside the members of the Security Team plus a few other developers at MySQL AB."

An example is CVE-2007-5925. The 9-Nov-2007 NIST Summary and many other reports all link to the MySQL bug,
For example: http://xforce.iss.net/xforce/xfdb/38284 , http://secunia.com/advisories/27568 , http://www.securityfocus.com/bid/26353/references, etc.
Unfortunately these links all now produce the message: "You do not have access to bug #32125."

MySQL users who were not quick enough to view bug 32125 must search elsewhere for additional info and patches.

The policy of withholding security bug details is probably a well-intentioned effort to keep the details out of the hands of miscreants, but doing so is really not possible with an open-source product. It certainly is impossible once a CVE is released. This practice risks being mis-interpreted as an attempt at secrecy. It prevents the MySQL community from checking if the exploit really works in their own environment, and from testing any patches which might have been proposed in the bug.

I know it is difficult to overcome the impulse to withhold the details about security issues. Over time, however, a policy of complete openness and candor about vulnerabilities is likely to serve MySQL's reputation better. This would help distinguish MySQL's practices from those of closed-source commercial software vendors, whose actions in the face of security vulnerabilities are sometimes suspect.

CVE-2007-5925 is not a big deal as vulnerabilities go. Alas, sooner or later a serious vulnerability is likely to be discovered. I think it would be easier for MySQL to switch to a full and swift disclosure practice now - rather than wait to reconsider the policy in the face of the headlines, criticism, and stress which would accompany a more serious vulnerability report.

-tom-



Edited 2 time(s). Last edit at 12/07/2007 11:02PM by Tom Donovan.

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: Comments: Kaj Arnö - How MySQL Treats Security Vulnerabilities
3955
December 07, 2007 11:30AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.