List:Packagers« Previous MessageNext Message »
From:Hsiao Ketung Contr 61 CS/SCBN Date:December 27 2002 9:00pm
Subject:RE: MySQL 4.0.7 is released
View as plain text  

I'm a new user to MySql and I've just starting to download and install

I've a question:
Does each version of MySql has binary AND src version for installation ?
I've been to for MySQL 4.0.7 and I found
binary version only.

Does the majority of MySql user us the binary version ?
Who would have the need to use src version of installation.
I imagine that src version give user more options for customizing MySql.

I'm installing MySql for use with vbulletin software from
I'm concerned whether I should install binary or src version of MySql.

-----Original Message-----
From: Lenz Grimmer [mailto:lenz@stripped]
Sent: Friday, December 27, 2002 12:11 PM
To: announce@stripped
Cc: mysql@stripped; packagers@stripped
Subject: MySQL 4.0.7 is released

Hash: SHA1


MySQL 4.0.7, a new version of the popular Open Source Database, has been
released. It is now available in source and binary form for a number of
platforms from our download pages at and
mirror sites.

Around the time MySQL 4.0.6 was ready to be released to fix the security
vulnerabilities that have been reported to us by eMatters GmbH, we were
informed about another potential security vulnerability. Because the 4.0.6
builds were almost completed at this point, and we wanted to get these out
to fix the already widely known security issues, we decided to resolve
this vulnerability for MySQL 4.0.7 instead and release it immediately
after MySQL 4.0.6.

Users that use previous versions of MySQL 4.0 in an untrusted multi-user
environment (e.g. ISPs providing database hosting) are encouraged to
update to MySQL 4.0.7 as soon as possible.

Please note, that this new vulnerability does only affect MySQL 4.0 -
MySQL 3.23 is not affected by this bug.

A short description of the vulnerability:

 o MySQL 4.0 did not properly check the user's privileges when receiving
   the (deprecated) client function call mysql_drop_db() to drop the
   specified database.
 o This allowed any user to arbitrary drop any database, if he was able
   to log in as a valid user and his MySQL client application used the
   obsolete mysql_drop_db() function call instead of the "DROP DATABASE"
   SQL statement.
 o When using "DROP DATABASE", the user's privileges were always verified
   correctly before dropping the database.
 o This bug can not be exploited without a valid MySQL user account -
   it is not possible for an anonymous remote attacker to perform this
 o So far, we are only aware of one client application that still uses
   this function call.
 o The "mysql" client application provided with the MySQL distribution
   as well as the MySQL Control Center cannot be used to exploit this
 o No data was compromised from other users' databases - this bug did not
   affect the privileges required to actually read data from other
   databases or tables.
 o If logging was enabled (e.g. by using the "--log" or "--log-bin"
   command line switches), the operation was also logged by the MySQL
   server, including the user and host name (if "--log" was used).

We would like to thank Gary Huntress for making us aware of this problem.

News from the MySQL 4.0.7 ChangeLog:

Functionality added or changed:

 * `mysqlbug' now also reports the compiler version used for building
   the binaries (if the compiler supports the option `--version').

Bugs fixed:

 * Fixed compilation problems on OpenUnix and HPUX 10.20.

 * Fixed some optimisation problems when compiling MySQL with
   `-DBIG_TABLES' on a 32 bit system.

 * `mysql_drop_db()' didn't check permissions properly so anyone could
   drop another users database.  `DROP DATABASE' is checked properly.

Additional notes:

 * It is quite possible that not all mirror sites have picked up
   the Linux RPM packages yet, because the were added some time after
   the other binary packages.

 * Due to a hardware failure, we are currently unable to provide
   Solaris 2.7 binaries - we apologize for any inconveniences that
   may cause you. Some users reported, that the Solaris 2.8 package
   worked for them on Solaris 2.7, too - so you might want to give
   that a try. We are working on setting up a new Solaris 2.7 build
   system and hope to have it available for future releases again.

Happy New Year!

- -- 
For technical support contracts, visit
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /      Mr. Lenz Grimmer <lenz@stripped>
 / /|_/ / // /\ \/ /_/ / /__     MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/     Hamburg, Germany
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see


Before posting, please check:   (the manual)           (the list archive)

To request this thread, e-mail <mysql-thread128500@stripped>
To unsubscribe, e-mail
Trouble unsubscribing? Try:
RE: MySQL 4.0.7 is releasedHsiao Ketung Contr 61 CS/SCBN27 Dec
New mysql.server Script for RedHatJoseph D. Wagner14 Sep
  • mysql.server chkconfig init lineWarly30 Dec
    • Re: [packagers] mysql.server chkconfig init lineLenz Grimmer20 Jan