MySQL 5.0.91 Source Update

Bug #583972 reported by BJ Dierkes
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
IUS Community Project
Fix Released
Critical
BJ Dierkes

Bug Description

Dear MySQL users,

MySQL Community Server 5.0.91, a new version of the popular Open Source
Database Management System, has been released.
Please note that the active maintenance of 5.0 has ended,and these
community builds are only provided because of the fixes to security bugs
# 50974, 53237, and 53371 as described below.

The release is now available in source and binary form for a number of
platforms from our archive download page at

  http://downloads.mysql.com/archives.php?p=mysql-5.0&v=5.0.91

Mirror service for MySQL server 5.0 has ended.
Also, support for some platforms with very low demand has ended.

Please bear in mind that MySQL 5.0 now receives extended support only,
and that all active development is happening on MySQL 5.1, 5.5, and
beyond. You will find the MySQL Lifecycle policy here:

   http://www.mysql.de/about/legal/lifecycle/

For your own best interest, we strongly recommend all current users of
MySQL 5.0 to upgrade to either MySQL 5.1 (current production release) or
MySQL 5.5 (pre-production release, adding new features in beta quality).

We welcome and appreciate your feedback, bug reports, bug fixes,
patches etc.:

   http://forge.mysql.com/wiki/Contributing

This section documents all changes and bugfixes that have been
applied since the last MySQL Community Server release (5.0.90).

   http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html

If you would like to receive more fine-grained and personalized
update alerts about fixes that are relevant to the version and
features you use, please consider subscribing to MySQL Enterprise
(a commercial MySQL offering). For more details please see
http://www.mysql.com/products/enterprise/advisors.html.

Enjoy!

On behalf of the MySQL Build Team,
Jörg Brühe

Changes in MySQL 5.0.91 (05 May 2010)

Bugs fixed:

 * Security Fix: The server failed to check the table name
  argument of a COM_FIELD_LIST command packet for validity
  and compliance to acceptable table name standards. This
  could be exploited to bypass almost all forms of checks
  for privileges and table-level grants by providing a
  specially crafted table name argument to COM_FIELD_LIST.
  In MySQL 5.0 and above, this allowed an authenticated
  user with SELECT privileges on one table to obtain the
  field definitions of any table in all other databases and
  potentially of other MySQL instances accessible from the
  server's file system.
  Additionally, for MySQL version 5.1 and above, an
  authenticated user with DELETE or SELECT privileges on
  one table could delete or read content from any other
  table in all databases on this server, and potentially of
  other MySQL instances accessible from the server's file
  system.
  (Bug#53371: http://bugs.mysql.com/bug.php?id=53371,
  CVE-2010-1848
  (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1848))

* Security Fix: The server was susceptible to a
  buffer-overflow attack due to a failure to perform bounds
  checking on the table name argument of a COM_FIELD_LIST
  command packet. By sending long data for the table name,
  a buffer is overflown, which could be exploited by an
  authenticated user to inject malicious code.
  (Bug#53237: http://bugs.mysql.com/bug.php?id=53237,
  CVE-2010-1850
  (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1850))

* Security Fix: The server could be tricked into reading
  packets indefinitely if it received a packet larger than
  the maximum size of one packet.
  (Bug#50974: http://bugs.mysql.com/bug.php?id=50974,
  CVE-2010-1849
  (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1849))

* The optimizer could attempt to evaluate the WHERE clause
  before any rows had been read, resulting in a server
  crash.
  (Bug#52177: http://bugs.mysql.com/bug.php?id=52177)

* On Windows, LOAD_FILE() could cause a crash for some
  pathnames.
  (Bug#51893: http://bugs.mysql.com/bug.php?id=51893)

* Use of HANDLER statements with tables that had spatial
  indexes caused a server crash.
  (Bug#51357: http://bugs.mysql.com/bug.php?id=51357)

* With an XA transaction active, SET autocommit = 1 could
  cause side effects such as memory corruption or a server
  crash.
  (Bug#51342: http://bugs.mysql.com/bug.php?id=51342)

* The SSL certificates in the test suite were about to
  expire. They have been updated with expiration dates in
  the year 2015.
  (Bug#50642: http://bugs.mysql.com/bug.php?id=50642)

* For debug builds, an assertion was incorrectly raised in
  the optimizer when matching ORDER BY expressions.
  (Bug#50335: http://bugs.mysql.com/bug.php?id=50335)

* The filesort sorting method applied to a CHAR(0) column
  could lead to a server crash.
  (Bug#49897: http://bugs.mysql.com/bug.php?id=49897)

* sql_buffer_result had an effect on non-SELECT statements,
  contrary to the documentation.
  (Bug#49552: http://bugs.mysql.com/bug.php?id=49552)

* EXPLAIN EXTENDED crashed trying to print column names for
  a subquery in the FROM clause when the table had gone out
  of scope.
  (Bug#49487: http://bugs.mysql.com/bug.php?id=49487)

* mysql-test-run.pl now recognizes the
  MTR_TESTCASE_TIMEOUT, MTR_SUITE_TIMEOUT,
  MTR_SHUTDOWN_TIMEOUT, and MTR_START_TIMEOUT environment
  variables. If they are set, their values are used to set
  the --testcase-timeout, --suite-timeout,
  --shutdown-timeout, and --start-timeout options,
  respectively.
  (Bug#49210: http://bugs.mysql.com/bug.php?id=49210)

* Certain INTERVAL expressions could cause a crash on
  64-bit systems.
  (Bug#48739: http://bugs.mysql.com/bug.php?id=48739)

* The server crashed when it could not determine the best
  execution plan for queries involving outer joins with
  nondeterministic ON clauses such as the ones containing
  the RAND() function, a user-defined function, or a NOT
  DETERMINISTIC stored function.
  (Bug#48483: http://bugs.mysql.com/bug.php?id=48483)

* If an outer query was invalid, a subquery might not even
  be set up. EXPLAIN EXTENDED did not expect this and
  caused a crash by trying to dereference improperly set up
  information.
  (Bug#48295: http://bugs.mysql.com/bug.php?id=48295)

--
Joerg Bruehe, MySQL Build Team, <email address hidden>
Sun Microsystems GmbH, Komturstrasse 18a, D-12099 Berlin
Geschaeftsfuehrer: Juergen Kunz
Amtsgericht Muenchen: HRB161028

--
MySQL Announce Mailing List
For list archives: http://lists.mysql.com/announce
To unsubscribe: http://lists.mysql.com/announce?<email address hidden>

Related branches

CVE References

BJ Dierkes (derks)
Changed in ius:
milestone: none → mysql51-5.0.91-1
importance: Undecided → Medium
status: New → Triaged
BJ Dierkes (derks)
Changed in ius:
status: Triaged → Confirmed
assignee: nobody → BJ Dierkes (derks)
importance: Medium → Critical
BJ Dierkes (derks)
Changed in ius:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.