[CentOS-announce] CEEA-2016:0517 CentOS 5 tzdata Enhancement Update

CentOS Errata and Enhancement Advisory 2016:0517 Upstream details at : https://rhn.redhat.com/errata/RHEA-2016-0517.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386:

[CentOS-announce] CEEA-2016:0517 CentOS 6 tzdata Enhancement Update

CentOS Errata and Enhancement Advisory 2016:0517 Upstream details at : https://rhn.redhat.com/errata/RHEA-2016-0517.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386:

[CentOS-announce] CESA-2016:0511 Critical CentOS 6 java-1.7.0-openjdk Security Update

CentOS Errata and Security Advisory 2016:0511 Critical Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0511.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386:

[CentOS] Compatible 5GHz wifi usb dongles?

Hi, Can anyone recommend a 5GHz usb wifi dongle that works out of the box with CentOS? Tried various Mediatek (0e8d:7610) %(*^ off amazon/ebay, without any luck, so please don't suggest that. Thanks! -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro

Re: [CentOS] Centos in the Browser string ?

On Thu, 2016-03-24 at 18:15 -0500, g wrote: > > On 03/24/16 12:58, Always Learning wrote: > >> //set user agent to blank > >> user_pref("general.useragent.override", " "); > > > > This can also be set, in Firefox, using about:config > > Right-click new string, etc. > such is not

Re: [CentOS] firewalld question

On Thu, Mar 24, 2016 at 06:39:37PM -0400, Matthew Miller wrote: Thanks for the info, Matthew! Fred > On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote: > > I'n wondering if it is possible to have Centos-7 automatically change > > firewall zones, depending on the network we conect to. >

Re: [CentOS] firewalld question

On Thu, Mar 24, 2016 at 09:18:16PM +, James Hogarth wrote: Thanks, James, that looks pretty good. I'll look into it and probably give it a try. Fred > On 24 March 2016 at 18:01, Fred Smith wrote: > > > Hi all! > > > > I'n wondering if it is possible to have

Re: [CentOS] Centos in the Browser string ?

On 03/24/16 12:58, Always Learning wrote: > On Thu, 2016-03-24 at 10:56 -0500, g wrote: > >>> See the EFF testing site for more details: >>> >>> > >> aware of panopticlick. > > It states (calculator needed) > > 11.6% of browsers have time zone 0 (GMT) > 10.0%

Re: [CentOS] firewalld question

On Thu, Mar 24, 2016 at 02:01:55PM -0400, Fred Smith wrote: > I'n wondering if it is possible to have Centos-7 automatically change > firewall zones, depending on the network we conect to. The way to do this is changing the zone for the network in NetworkManager. (This works easily for wifi

Re: [CentOS] firewalld question

On 24 March 2016 at 18:01, Fred Smith wrote: > Hi all! > > I'n wondering if it is possible to have Centos-7 automatically change > firewall zones, depending on the network we conect to. > > my default zone is "home" and it has some ports open that probably >

Re: [CentOS] Centos in the Browser string ?

Am 24.03.2016 um 16:56 schrieb g : > On 03/24/16 09:29, Richard wrote: >>> Date: Thursday, March 24, 2016 14:10:41 + >>> From: Always Learning >>> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote: >>> >>> >>> Spread the successful Centos 'brand

Re: [CentOS-virt] KVM networking issue

Thanks, Mike. When running tcpdump on the VM I'm not seeing traffic unless it's explicitly intended for that particular VM, so no traffic between the other VMs is getting forwarded from the virtual interface to the "network appliance" VM. There is connectivity between the VMs on the private

Re: [CentOS] C5 MySQL injection attack ("Union Select")

Indeed. There are several flaws in how mysql handles data. This is why to the best of my ability I am trying to avoid mysql, and use postgresql if whatever chunk of software I need is designed to work also with postgresql. And I recommend developers I work with/for the same (to use postgresql).

Re: [CentOS] C5 MySQL injection attack ("Union Select")

John, John R Pierce wrote: > On 3/24/2016 7:48 AM, m.r...@5-cent.us wrote: >> We seem to be moving to postgresql. I find I do not like it - it's much >> more of a pain to work with than mysql is. Do you have any opinions >> about meria d/b? Are there improvements over the flaws you're aware >> of

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 3/24/2016 7:48 AM, m.r...@5-cent.us wrote: We seem to be moving to postgresql. I find I do not like it - it's much more of a pain to work with than mysql is. Do you have any opinions about meria d/b? Are there improvements over the flaws you're aware of with mysql? and I find mysql a real

[CentOS] firewalld question

Hi all! I'n wondering if it is possible to have Centos-7 automatically change firewall zones, depending on the network we conect to. my default zone is "home" and it has some ports open that probably shouldn't be open when I'm on someone elose's network. so I'm thinking that if there's a way to

Re: [CentOS] Centos in the Browser string ?

On Thu, 2016-03-24 at 10:56 -0500, g wrote: > > See the EFF testing site for more details: > > > > > aware of panopticlick. It states (calculator needed) 11.6% of browsers have time zone 0 (GMT) 10.0% of browsers have "Linux x86_64" (note this excludes

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 10:13 AM, Always Learning wrote: I have never (not once) used non-prepared SQL statements, nor string concatenation, nor sprintf. Perfect! mysql_real_escape_string() is useful for storing in tables words with apostrophes. You shouldn't need to escape anything if you're using

Re: [CentOS] C5 MySQL injection attack ("Union Select")

Valeri Galtsev wrote: > > On Thu, March 24, 2016 10:32 am, Alice Wonder wrote: >> On 03/24/2016 08:28 AM, m.r...@5-cent.us wrote: > Ok, do you have a link or two to info about that? Mark, you seemed to snip away the link to presentation on youtube :

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 09:40 -0700, Gordon Messmer wrote: > Just to be clear: you absolutely should upgrade to a currently > maintained version of MySQL. Agreed. Its going to be rainy in England this Easter weekend, so am contemplating upgrading the last production C5 to C6. > However,

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote: > On 03/24/2016 07:57 AM, Always Learning wrote: > > I should have imposed strict controls on the length of > > parameters passed to programmes via web pages $_GET[] such as... > > and reject any incoming string containing ' or " in

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, Mar 24, 2016 at 9:08 AM, Always Learning wrote: >> I can't stress enough, mysql-5.0 on el5 is absolutely not updated >> security wise. > > Thanks. Reading it now. Just to be clear: you absolutely should upgrade to a currently maintained version of MySQL. However,

Re: [CentOS-virt] KVM networking issue

On Tue, Mar 22, 2016 at 1:57 PM, Kevin Ross wrote: > Hi Mike, > > Thanks for the info. I'd rather run monitoring such as tcpdump from > the VM if possible and not the host as a simulation of a network > Then run tcpdump on the VM. Same command or commands you'd have ran on

Re: [CentOS] Centos in the Browser string ?

now i goofed. :-\ On 03/24/16 11:13, g wrote: <<<>>> > aware of panopticlick. > > if you have a file in profile directory, > -- above should read; if you have file "user.js" in profile directory, > add this to it. if not, > create file and paste this in it. > > //set user agent to blank

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 07:57 AM, Always Learning wrote: I should have imposed strict controls on the length of parameters passed to programmes via web pages $_GET[] such as... and reject any incoming string containing ' or " in addition to PHP's strip_tags and (deprecated in later versions)

Re: [CentOS] Centos in the Browser string ?

resend. yuckahoo bounced another post. On 03/24/16 09:29, Richard wrote: >> Date: Thursday, March 24, 2016 14:10:41 + >> From: Always Learning >> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote: >> >>> What purpose does it serve? I don't object to it being there

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, March 24, 2016 10:28 am, m.r...@5-cent.us wrote: > Valeri Galtsev wrote: >> >> On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote: >>> Valeri Galtsev wrote: On Wed, March 23, 2016 10:21 pm, Always Learning wrote: > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 10:48 -0500, Johnny Hughes wrote: > I guarantee that the 5.0.95 packages have security issues. Here is how > to move to the newer mysql55 packages: > > http://red.ht/1pAcb7q > > I can't stress enough, mysql-5.0 on el5 is absolutely not updated > security wise. The last

Re: [CentOS] Centos in the Browser string ?

On 03/24/16 09:29, Richard wrote: >> Date: Thursday, March 24, 2016 14:10:41 + >> From: Always Learning >> On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote: >> >>> What purpose does it serve? I don't object to it being there >>> but I also don't see a benefit to it

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 10:48 AM, Johnny Hughes wrote: > On 03/24/2016 03:54 AM, Leon Fauster wrote: >> Am 24.03.2016 um 04:21 schrieb Always Learning : >>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>> readline 5.1 >> >> >> >> Current version on C5 is mysql55,

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 03:54 AM, Leon Fauster wrote: > Am 24.03.2016 um 04:21 schrieb Always Learning : >> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >> readline 5.1 > > > > Current version on C5 is mysql55, 5.0 does not get any updates anymore! > Let me

Re: [CentOS] Centos in the Browser string ?

On 03/24/16 09:10, Always Learning wrote: > On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote: > >> What purpose does it serve? I don't object to it being there >> but I also don't see a benefit to it being there. >> >> Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS >>

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, March 24, 2016 10:32 am, Alice Wonder wrote: > On 03/24/2016 08:28 AM, m.r...@5-cent.us wrote: >> Valeri Galtsev wrote: >>> >>> On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote: Valeri Galtsev wrote: > On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >> mysql

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote: > Valeri Galtsev wrote: >> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>> readline 5.1 > > >> Indeed. There are several flaws in how mysql handles data.

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 08:28 AM, m.r...@5-cent.us wrote: Valeri Galtsev wrote: On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote: Valeri Galtsev wrote: On Wed, March 23, 2016 10:21 pm, Always Learning wrote: mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using readline 5.1 >

Re: [CentOS] C5 MySQL injection attack ("Union Select")

Valeri Galtsev wrote: > > On Thu, March 24, 2016 9:48 am, m.r...@5-cent.us wrote: >> Valeri Galtsev wrote: >>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using readline 5.1 >> > >>> Indeed. There are several

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 08:00 -0700, Alice Wonder wrote: > I would shift to CentOS 7. With the, among others, systemd controversy I dread moving to C7. C6 works well and having just one version of an operating system simplifies everything. I also lack sufficient time to exploring and learning the

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 14:27 +0300, Александр Кириллов wrote: > This is obviously an application level problem. What is this php file? > You should upgrade wordpress and remove or block access to the plugin or > custom page which allows sql injections. Yes, my mistake. I should have imposed

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 07:33 AM, Always Learning wrote: *snip* Thank you. That server is the last production server on C5. I need to shift it to C6 and Maria 10. I am 'always learning' security is a perpetual task. Thankfully I always read the daily logs and reports (an arduous task). Many thanks.

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote: > Always use parameterized statements (aka prepared statements) for SQL > that involves untrusted input. > > I like to use them even for input that involves trusted input because it > is easy to make a change in my code and not think

Re: [CentOS] C5 MySQL injection attack ("Union Select")

Valeri Galtsev wrote: > On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >> readline 5.1 > > Indeed. There are several flaws in how mysql handles data. This is why to Ok, do you have a link or two to info about that?

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On Wed, March 23, 2016 10:21 pm, Always Learning wrote: > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using > readline 5.1 > > > I spotted something strange and immediately installed a routine to > automatically impose an iptables block when the key used for database > access

Re: [CentOS] Centos in the Browser string ?

> Date: Thursday, March 24, 2016 14:10:41 + > From: Always Learning > > On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote: > >> What purpose does it serve? I don't object to it being there >> but I also don't see a benefit to it being there. >> >> Ubuntu btw is

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/24/2016 04:53 AM, Александр Кириллов wrote: Be careful with WordPress - it's database handler doesn't actually use parameterized statements, it emulates them with printf - one (of many) reasons I do not like the product. This is a rather controversial statement. There's nothing wrong

Re: [CentOS] Centos in the Browser string ?

On Wed, 2016-03-23 at 22:29 -0700, Alice Wonder wrote: > What purpose does it serve? I don't object to it being there > but I also don't see a benefit to it being there. > > Ubuntu btw is not exactly a distribution I want RHEL/EPEL/CentOS > developers to emulate... Spread the successful

[CentOS] CentOS-announce Digest, Vol 133, Issue 11

Send CentOS-announce mailing list submissions to centos-annou...@centos.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to

Re: [CentOS] C5 MySQL injection attack ("Union Select")

Be careful with WordPress - it's database handler doesn't actually use parameterized statements, it emulates them with printf - one (of many) reasons I do not like the product. This is a rather controversial statement. There's nothing wrong with using sprintf when building sql queries. Besides

Re: [CentOS] C5 MySQL injection attack ("Union Select")

This is obviously an application level problem. What is this php file? You should upgrade wordpress and remove or block access to the plugin or custom page which allows sql injections. ___ CentOS mailing list CentOS@centos.org

Re: [CentOS] C5 MySQL injection attack ("Union Select")

On 03/23/2016 08:21 PM, Always Learning wrote: mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using readline 5.1 I spotted something strange and immediately installed a routine to automatically impose an iptables block when the key used for database access is excessively long.

Re: [CentOS] C5 MySQL injection attack ("Union Select")

Am 24.03.2016 um 04:21 schrieb Always Learning : > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using > readline 5.1 Current version on C5 is mysql55, 5.0 does not get any updates anymore! -- LF ___ CentOS