MySQL 5.1.28 Release Candidate With Important Security Fix
Join the DZone community and get the full member experience.Join For Free
On 13 September MySQL announced the MySQL 5.1.28 release candidate. One of the important changes from 5.1.26 to 5.1.28 is an important security fix related to Bug#32167:
It was possible to circumvent privileges through the creation of
MyISAMtables employing the
INDEX DIRECTORYoptions to overwrite existing table files in the MySQL data directory. Use of the MySQL data directory in
INDEX DIRECTORYis now disallowed. This is now also true of these options when used with partitioned tables and individual partitions of such tables.
There is actually an enourmous amount of bug fixes totalling 63 in this release, and while it is not ready for production yet, it is definitely worth upgrading from 5.1.26. Some of the bug fixes excluding the above are:
- Security Enhancement: The server consumed excess memory while parsing statements with hundreds or thousands of nested boolean conditions (such as
OR (OR ... (OR ... ))). This could lead to a server crash or incorrect statement execution, or cause other client statements to fail due to lack of memory. The latter result constitutes a denial of service.
- Incompatible Change: An additional correction to the original MySQL 5.1.23 fix was made to normalize directory names before adding them to the list of directories. This prevents
/etcfrom being considered different, for example.
- Partitioning: When a partitioned table had a
TIMESTAMPcolumn defined with
CURRENT_TIMESTAMPas the default but with no
ON UPDATEclause, the column's value was incorrectly set to
CURRENT_TIMESTAMPwhen updating across partitions.
- Partitioning: A
MyISAMtable returned erroneous results when an index was present on a column in the
NOT INwas used on that column. Searches using the index were also much slower then if the index were not present.
- Replication: Some kinds of internal errors (such as Out of stack) cuased the server to crash.
- Replication: Row-based replication did not correctly copy
TIMESTAMPvalues from a big-endian storage engine to a little-endian storage engine.
- Over-aggressive lock acquisition by
InnoDBcould result in performance degradation when multiple threads were executing statements on multi-core machines.
For a complete list of bug fixes and improvements view the detailed changelog. The MySQL 5.1.28-rc release is now available in source and binary form for a number of platforms from http://dev.mysql.com/downloads/
Opinions expressed by DZone contributors are their own.