MySQL Lists are EOL. Please join:

List:Packagers« Previous MessageNext Message »
From:Lenz Grimmer Date:December 27 2002 8:10pm
Subject:MySQL 4.0.7 is released
View as plain text  
Hash: SHA1


MySQL 4.0.7, a new version of the popular Open Source Database, has been
released. It is now available in source and binary form for a number of
platforms from our download pages at and
mirror sites.

Around the time MySQL 4.0.6 was ready to be released to fix the security
vulnerabilities that have been reported to us by eMatters GmbH, we were
informed about another potential security vulnerability. Because the 4.0.6
builds were almost completed at this point, and we wanted to get these out
to fix the already widely known security issues, we decided to resolve
this vulnerability for MySQL 4.0.7 instead and release it immediately
after MySQL 4.0.6.

Users that use previous versions of MySQL 4.0 in an untrusted multi-user
environment (e.g. ISPs providing database hosting) are encouraged to
update to MySQL 4.0.7 as soon as possible.

Please note, that this new vulnerability does only affect MySQL 4.0 -
MySQL 3.23 is not affected by this bug.

A short description of the vulnerability:

 o MySQL 4.0 did not properly check the user's privileges when receiving
   the (deprecated) client function call mysql_drop_db() to drop the
   specified database.
 o This allowed any user to arbitrary drop any database, if he was able
   to log in as a valid user and his MySQL client application used the
   obsolete mysql_drop_db() function call instead of the "DROP DATABASE"
   SQL statement.
 o When using "DROP DATABASE", the user's privileges were always verified
   correctly before dropping the database.
 o This bug can not be exploited without a valid MySQL user account -
   it is not possible for an anonymous remote attacker to perform this
 o So far, we are only aware of one client application that still uses
   this function call.
 o The "mysql" client application provided with the MySQL distribution
   as well as the MySQL Control Center cannot be used to exploit this
 o No data was compromised from other users' databases - this bug did not
   affect the privileges required to actually read data from other
   databases or tables.
 o If logging was enabled (e.g. by using the "--log" or "--log-bin"
   command line switches), the operation was also logged by the MySQL
   server, including the user and host name (if "--log" was used).

We would like to thank Gary Huntress for making us aware of this problem.

News from the MySQL 4.0.7 ChangeLog:

Functionality added or changed:

 * `mysqlbug' now also reports the compiler version used for building
   the binaries (if the compiler supports the option `--version').

Bugs fixed:

 * Fixed compilation problems on OpenUnix and HPUX 10.20.

 * Fixed some optimisation problems when compiling MySQL with
   `-DBIG_TABLES' on a 32 bit system.

 * `mysql_drop_db()' didn't check permissions properly so anyone could
   drop another users database.  `DROP DATABASE' is checked properly.

Additional notes:

 * It is quite possible that not all mirror sites have picked up
   the Linux RPM packages yet, because the were added some time after
   the other binary packages.

 * Due to a hardware failure, we are currently unable to provide
   Solaris 2.7 binaries - we apologize for any inconveniences that
   may cause you. Some users reported, that the Solaris 2.8 package
   worked for them on Solaris 2.7, too - so you might want to give
   that a try. We are working on setting up a new Solaris 2.7 build
   system and hope to have it available for future releases again.

Happy New Year!

- -- 
For technical support contracts, visit
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /      Mr. Lenz Grimmer <lenz@stripped>
 / /|_/ / // /\ \/ /_/ / /__     MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/     Hamburg, Germany
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see


MySQL 4.0.7 is releasedLenz Grimmer27 Dec