List:Packagers« Previous MessageNext Message »
From:Lenz Grimmer Date:March 11 2005 4:44pm
Subject:MySQL 4.1.10a has been released
View as plain text  
Hash: SHA1


MySQL 4.1.10a, a new version of the popular Open Source/Free Software 
Database Management System, has been released. It is now available in 
source and binary form for a number of platforms from our download pages 
at and mirror sites.

Note that not all mirror sites may be up to date at this point in time -
if you can't find this version on some mirror, please try again later or
choose another download site.

This MySQL 4.1.10a release just includes the additional patches for 
recently reported potential security vulnerabilites in the creation of 
temporary table file names and the handling of User Defined Functions 
(UDFs). We would like to thank Stefano Di Paola <stefano.dipaola@stripped> 
for finding and reporting these to us.

Please note that these changes affect the way in which User Defined 
Functions (UDF) are loaded. Please refer to the section "User-defined 
Function Security Precautions" in the manual:

Functionality added or changed relative to 4.1.10:

   * Security improvement: The server creates `.frm', `.MYD', `.MYI',
     `.MRG', `.ISD', and `.ISM' table files only if a file with the
     same name does not already exist.

   * Security improvement: User-defined functions should have at least
     one symbol defined in addition to the `xxx' symbol that
     corresponds to the main `xxx()' function.  These auxiliary symbols
     correspond to the `xxx_init()', `xxx_deinit()', `xxx_reset()',
     `xxx_clear()', and `xxx_add()' functions.  `mysqld' by default no
     longer loads UDFs unless they have at least one auxiliary symbol
     defined in addition to the main symbol.
     The '--allow-suspicious-udfs' option controls
     whether UDFs that have only an `xxx' symbol can be loaded.  By
     default, the option is off.  `mysqld' also checks UDF filenames
     when it reads them from the `mysql.func' table and rejects those
     that contain directory pathname separator characters. (It already
     checked names as given in `CREATE FUNCTION' statements.)
     See the section in the manual on writing UDFs.

- -- 
 Lenz Grimmer <lenz@stripped>
 Senior Production Engineer
 MySQL GmbH,
 Hamburg, Germany
 Are you MySQL certified?
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see

MySQL 4.1.10a has been releasedLenz Grimmer11 Mar