I will be speaking at the Converge Security Conference on July 14th on MySQL 5.7 security. There were many changes in 5.7 and it has been very hard to get the majority of those changes in a forty minute presentation. And is with just scratching the surface with the new encryption for InnoDB. If you are are attending please say ‘hi’!
MySQL 5.7.4 has added two fields to the mysql.user table — password_last_changed, a timestamp and password_lifetime, a small but unsigned integer. Several blogs ago I started to cobble together a password expiration tracking script before these two columns were added. But I could see three ways of tracking expired passwords but none of them were palatable. Todd Farmer was working on a similar idea.
So when you run mysql_upgrade after upgrading to 5.7.4, you will find these two new columns. The password_last_changed will be set to the time you ran the upgrade and password_lifetime will be set to null.
You can set global password lifetime policy in the options file.
So 180 is about six months and zero would set a never expire policy.
ALTER USER 'dave'@localhost' PASSWORD EXPIRE INTERVAL 90 DAYS;
ALTER USER 'john'@'localhost' PASSWORD EXPIRE NEVER;
ALTER USER 'jane'@'localhost' PASSWORD EXPIRE DEFAULT;
Beware of bugs in the above code; I have only proved it correct, not tried it.
Bugs in software are a fact of life. MySQL, as part of Oracle, issues of Critical Patch Updates and Security Alerts notices. You may have seen Daniel van Eeden‘s blog on the January announcement.
For MySQL 5.6 you should upgrade to 5.6.15
For MySQL 5.5 you should upgrade to 5.5.35
For MySQL 5.1 you should upgrade to 5.1.73
But you probably missed the executive summary.
But how do YOU get this information when it become available? Subscribe here for Critical Patch Update Alert E-mails. You will need an Oracle Technology Network account (free) and please note that there are more than just MySQL information in the alerts as it covers all Oracle products.It will take you just a few moments to sign up.