Mysql

Ken Moffat ken at kenmoffat.uklinux.net
Tue Aug 9 05:31:13 PDT 2005


 A report on securityfocus at

http://www.securityfocus.com/archive/1/407648/30/0/threaded

 says there is a vulnerability where users are allowed to create user
defined functions.  The workaround is to restrict who is allowed to
create user-defined functions.  No cve reference.  Risk level LOW.

 The report says this has been patched by mysql, supposedly in 4.1.13.
I can see a code change in sql/sql_udf.cc which might be this fix, but
there is nothing in the ChangeLog.  I'm slightly puzzled, because the
announcement by the people who found it was quite a long time after
4.1.13 was released.

[ The latest version is 4.1.13a, but that addresses zlib vulnerabilities
for people who link statically against the included zlib. ]

Ken
-- 
 das eine Mal als Tragödie, das andere Mal als Farce




More information about the lfs-security mailing list