tag:blogger.com,1999:blog-9188714267863327820.post6576094105291896765..comments2024-03-20T03:06:52.713-04:00Comments on J-F Gagné's MySQL Blog: Here is the CREATE TABLE of deathJean-François Gagnéhttp://www.blogger.com/profile/12267071794432977020noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9188714267863327820.post-11875326775140913422017-11-28T13:28:14.671-05:002017-11-28T13:28:14.671-05:00"what the difference in risk": I am afra..."what the difference in risk": I am afraid I do not understand your question.<br /><br />MariaDB: it is already patched since 5.5.57, 10.0.32, 10.1.26 and 10.2.7.<br /><br />"largest MySQL DaaS": I have to confess that I do not follow AWS much, I published my previous post once it was fixed in 5.7.20 (almost 6 weeks ago). I might take AWS into account on the next crashing bug Jean-François Gagnéhttps://www.blogger.com/profile/12267071794432977020noreply@blogger.comtag:blogger.com,1999:blog-9188714267863327820.post-43896512384101758892017-11-28T09:49:37.978-05:002017-11-28T09:49:37.978-05:00Hi JF, I do understand your point by having too pe...Hi JF, I do understand your point by having too permissive grants also incur risks of data being lost. I fully agree with you that exposing a user with too permissive grants is something you should never do. However I see no difference in the case of running MySQL yourself and being vulnerable with a too permissive user. <br />Please explain to me what the difference in risk would be between Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9188714267863327820.post-2260815897020121272017-11-28T09:23:50.542-05:002017-11-28T09:23:50.542-05:00Hi Art, the post is still out, so I obviously not ...Hi Art, the post is still out, so I obviously not fully agree about un-publishing it. I am not sure "anyone with a RDS MySQL instance" is vulnerable as "too permissive grants" (and widely distributed credentials) also incur risks of data lost. Still, this is a complex debate and I entourage anyone having thoughts on this to post a comment here.Jean-François Gagnéhttps://www.blogger.com/profile/12267071794432977020noreply@blogger.comtag:blogger.com,1999:blog-9188714267863327820.post-84867225176759091952017-11-28T08:08:09.665-05:002017-11-28T08:08:09.665-05:00I tried it on a freshly deployed instance of RDS M...I tried it on a freshly deployed instance of RDS MySQL (their latest is 5.7.19) and it does indeed crash immediately on your initial table of death. In my experience the users of RDS have a high tendency to use the out-of-the-box RDS admin account as the application user. Also many deploy the RDS instance publicly accessible. This means that anyone with a RDS MySQL instance that has a user with Anonymousnoreply@blogger.com