2014/10/29 4:30PM PDT - Update -

 

Security update for MySQL 5.1

We have determined that some of the security issues announced by Oracle for MySQL 5.5 and 5.6 here: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL may affect MySQL 5.1. As described in https://www.mysql.com/support/eol-notice.html, Oracle moved MySQL 5.1 to Sustaining Support in December 2013 and is no longer providing patches for it. To continue receiving MySQL security and reliability patches, we recommend that customers running MySQL 5.1 perform a major version upgrade to the latest versions of MySQL 5.5 or 5.6 after testing for application compatibility. More details about performing this upgrade are available here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeInstance.html.

In order to give customers more time to test compatibility and perform a major version upgrade, we have released a new minor MySQL 5.1 version, 5.1.73a. This version has the security fixes for CVE-2014-6491, CVE-2014-6494, CVE-2014-6500 and CVE-2014-6559 added to MySQL 5.1.73. MySQL 5.1 RDS instances configured with the best practices guideline of using restricted access security groups will be upgraded to MySQL 5.1.73a during their normal maintenance windows between 30 Oct 2014 23:00 UTC and 06 Nov 2014 22:59 UTC. Any RDS instances which are still configured with security groups that provide unrestricted access from the Internet (ingress rules specifying 0.0.0.0/0) by 30 Oct 2014 17:00 UTC will be automatically upgraded to 5.1.73a after that time, ahead of their maintenance window. For information on reconfiguring access to RDS instances, please refer to: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html. Users can also upgrade to this minor version at any time before their maintenance window by using the Modify operation: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeInstance.html. Note that this mandatory upgrade will take place even for instances with ’No’ selected for the Auto Minor Version Upgrade option.

-------------------------------------------------------------------------------------------------

 

 

2014/10/24 5:00PM PDT - Update -



MySQL 5.5 and 5.6 instances with security groups configured to give unrestricted access to the Internet:

All MySQL 5.5 and 5.6 instances that were still configured with unrestricted access (CIDR rule 0.0.0.0/0) from the Internet as of 17 Oct 2014 19:00 UTC have been upgraded to MySQL 5.5.40 and 5.6.21 respectively by 19 Oct 2014.

MySQL 5.5 instances with restricted access from the Internet:

We began upgrading these MySQL 5.5 instances to 5.5.40 during customer defined maintenance windows on 20 Oct 2014 at 22:30 UTC. We will complete these upgrades by 27 Oct 2014 at 22:29 UTC.

MySQL 5.6 instances with restricted access from the Internet:

Upgrading of the 5.6 instances with security groups that are not open to the Internet was originally scheduled to start on 20 Oct 2014. This upgrade has not started because we have identified a condition where MySQL 5.6 read replicas may crash after the upgrade to 5.6.21. This is related to the MySQL storage format for date and timestamp columns that was introduced in MySQL 5.6.4: https://dev.mysql.com/doc/refman/5.6/en/upgrading-from-previous-series.html.

Because of this format change, a MySQL 5.6.21 read replica may crash when it receives a row-logged transaction modifying a date or timestamp column from a MySQL master of any version that was created with (or upgraded from) a MySQL version earlier than 5.6.4. An option to address this issue is documented in the "Known Issues and Limitations" section: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.KnownIssuesAndLimitations.

In addition, because of an incompatibility with how blobs are logged starting in MySQL 5.6.20, customers who wish to modify blobs larger than 12.8 MB will need to adjust their "innodb_log_file_size" parameter to 10 times the size of the largest blob they wish to modify. For information on this change, please see: http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-20.html.

To give customers the benefit of the security updates without encountering the compatibility issues above, we have released a new minor MySQL 5.6 version, 5.6.19a. This version has the security fixes for CVE-2014-6491, CVE-2014-6494, CVE-2014-6500 and CVE-2014-6559 added to MySQL 5.6.19. We will upgrade all MySQL 5.6 instances that are on 5.6.19 or earlier to 5.6.19a in the customer defined maintenance window between 28 Oct 2014 19:00 UTC and 04 Nov 2014 18:59 UTC. You can also upgrade to this minor version at a time of your choosing before your maintenance window by using the Modify operation: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeInstance.html.

Note that this mandatory upgrade will take place even if you selected 'No' for the Auto Minor Version Upgrade option.

If you have already upgraded your MySQL 5.6 instances to MySQL 5.6.21, please review the "Known Issues and Limitations" section discussed above and if applicable, take the steps described in that section.

-------------------------------------------------------------------------------------------------

 

 

On October 16th, Oracle announced security vulnerabilities and associated software patches affecting MySQL 5.5 and 5.6: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL. RDS instances following the best practices guideline of using restricted access security groups will be upgraded to MySQL 5.5.40 or 5.6.21, the new versions that have these patches, during their normal maintenance windows. For RDS instances where customers have configured unrestricted access from the Internet (e.g., CIDR rules with suffix /0), we recommend customers immediately change their security groups to restrict inbound access on database ports to only those source IP addresses from which legitimate connections to the database should originate. This will mitigate the security vulnerabilities. For information on reconfiguring the access to your database, please refer to: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html.

To fully address these vulnerabilities, your database instances must be upgraded to either MySQL 5.5.40 or 5.6.21. Amazon RDS will make the new MySQL versions available by 12:00 PM PDT on Friday, 17 Oct 2014. Customers may choose to manually upgrade their instances at that time or wait for the next regular maintenance window during which we will automatically perform the upgrades. At the time of the upgrade, your database instances (either Single-AZ or Multi-AZ) will undergo a reboot and will be unavailable for a few minutes.

Any RDS instances which continue to allow unrestricted access from the Internet by 12:00 PM PDT on Friday, 17 Oct 2014 will be automatically upgraded after that time, ahead of their maintenance window. In addition, 5.5 and 5.6 database instances which have not yet been upgraded by customers, regardless of the state of their security groups, will be upgraded during their maintenance windows between 12:00 PM PDT on Monday, 20 Oct 2014 and 11:59 AM PDT on Monday, 27 Oct 2014. You can upgrade at a time of your choosing before your maintenance window by using the Modify operation. Note that this mandatory upgrade will take place even if you selected 'No' for the Auto Minor Version Upgrade option.

For more information about these vulnerabilities, please visit:

For more information about upgrading your database instance, please visit: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeInstance.html