-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Christian,
thanks for your message!
On Tue, 28 Mar 2006, Christian Hammers wrote:
> I've just got aware of the following security issue:
>
> CVE-2006-0903
> "MySQL 5.0.18 and earlier allows local users to bypass logging
> mechanisms via SQL queries that contain the NULL character,
> which are not properly handled by the mysql_real_query function."
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903
>
> As http://bugs.mysql.com/ does currently not respond I cannot lookup
> the corresponding MySQL bug report. Does anybody know if this issue
> exists in 4.0 and 4.1 and if so, if patches exists that could be used
> in the distributions security advisories?
>
> BTW: I cannot find a reference to this in the official Changelog neither?
This one never came through to us via security@stripped. However, there is
a related bug report here: http://bugs.mysql.com/bug.php?id=17667 - a patch
has been commited and will be included in upcoming releases.
Note that this only affects the general (plaintext) log, not the binary log.
Bye,
LenZ
- --
Lenz Grimmer <lenz@stripped>
Community Relations Manager, EMEA
MySQL GmbH, http://www.mysql.de/, Hamburg, Germany
MySQL Users Conference 2006 (Santa Clara CA, 24-27 April) - http://www.mysqluc.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFELWVxSVDhKrJykfIRAjCgAJ0Uan4dfSUrQTka/zVL9qM6wdXFiwCeNOMe
TTRqWcFyaldnzvv291uIrdM=
=AElD
-----END PGP SIGNATURE-----
