MySQL and PHP 5 Security Updates

Posted February 2nd, 2008 in Tech Corner. Tags: , , , , .

We’ve installed MySQL and PHP 5 security updates. Customers should not notice any changes; the updates just fix several security issues in PHP 5 and MySQL.

The updates were performed in such a way that new Web server connections were delayed during the 30 seconds or so that PHP and MySQL were unavailable on each server. That should mean that as far as scripts on your Web site were concerned, there was zero downtime.

Since this is “Tech Corner”… If you’re curious how to do “zero downtime” upgrades on Linux, you can use iptables. Something like this works on Debian for MySQL:

iptables -I INPUT -p tcp -m multiport --syn --dports 80,443 -j DROP
apt-get install mysql-server-5.0
iptables -D INPUT -p tcp -m multiport --syn --dports 80,443 -j DROP

The dropping of SYN packets blocks new Web connections (and therefore new MySQL queries) without interrupting existing ones. Since we use DROP instead of REJECT, the client’s Web browser doesn’t show an immediate error; it keeps retrying.

The upgrade process then takes about 15 seconds to actually stop MySQL (assuming you’ve already downloaded the package), which is enough time for existing connections to finish up. It then takes another 15 seconds or so to install the upgrade and restart MySQL.

Finally, removing the iptables rule allows the pending Web connections to succeed. Since the whole thing took only about 30 seconds, it shouldn’t cause a browser error — to the visitor, it just seems like a page took longer than normal to display. A slow page load is obviously an annoyance (and we normally only do this kind of upgrade in the wee hours of weekends to minimize that annoyance), but it’s much better than a visitor receiving a “database connection failed” error when they try to place an order on your online store, etc.

By the way, the above example doesn’t cover the possibility that MySQL connections could be opened by non-Web processes like cron jobs, and it doesn’t handle connections that take longer than 15 seconds to finish. You could automate this with a little shell scripting that queries MySQL to see if all connections are closed, but we just watch it from a different terminal window to make sure.

  1. Recent Posts

    1. PHP versions 8.1.28, 8.2.18, and 8.3.6
    2. PHP versions 8.2.17 and 8.3.4
    3. President’s Day 2024 holiday hours
    4. PHP versions 8.1.27 and 8.2.15
    5. Martin Luther King, Jr. Day 2024 holiday hours
    6. New Year’s 2024 Holiday Hours
    7. Christmas 2023 Holiday Hours
    8. Brief scheduled maintenance December 16-17, 2023
    9. Thanksgiving 2023 Holiday Hours
    10. PHP versions 8.1.25 and 8.2.12

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds