-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2007.0527 -- [Win][UNIX/Linux]
                  MySQL Community Server 5.0.45 released
                               18 July 2007

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              MySQL Community Server prior to 5.0.45
Publisher:            MySQL
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Access Privileged Data
                      Increased Privileges
                      Denial of Service
Access:               Existing Account
                      Remote/Unauthenticated
CVE Names:            CVE-2007-3780 CVE-2007-3781 CVE-2007-3782

Revision History:     July 18 2007: Further CVE added
                      July 17 2007: CVE added
                      July 13 2007: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Dear MySQL users,

MySQL Community Server 5.0.45, a new version of the popular Open Source
Database Management System, has been released. The release is now
available in source and binary form from our download pages at

        http://dev.mysql.com/downloads/

and mirror sites.

Note that not all mirror sites may be up to date at this point in time,
so if you can't find this version on some mirror, please try again later
or choose another download site.

This release includes a number of security-relevant fixes:
   * CREATE TABLE LIKE did not require any privileges on the source
     table and was not isolated from alteration by other connections.
     (Bugs #25578 and #23667)
   * It is no longer possible to use a view to gain update privileges
     for tables in other databases. (Bug#27878)
   * It is no longer possible for a user to gain privileges by calling
     a stored routine that was declared using SQL SECURITY INVOKER.
     (Bug#27337)
   * The DROP privilege requirement for RENAME TABLE is now correctly
     enforced. (Bug#27515)
   * Malformed password packets in the connection protocol can no longer
     cause the server to crash. (Bug#28984)

One bug fix resulted in an incompatible change:
   * The use of an ORDER BY or DISTINCT clause with a query containing
     a call to the GROUP_CONCAT() function caused results from previous
     queries to be redisplayed in the current result. The fix for this
     includes replacing a BLOB value used internally for sorting with a
     VARCHAR; this may lead to truncation when the result of a query
     that uses GROUP_CONCAT() is longer than the limit for VARCHAR,
     which is a new restriction in MySQL 5.0.45.
     (Bugs #23856, #28273)

We welcome and appreciate your feedback, bug reports, bug fixes,
patches etc.:

   http://forge.mysql.com/wiki/Contributing

The following section lists the changes from version to version in the
MySQL source code as compared to the last released version of MySQL
Community Server, the MySQL Community Server 5.0.41 release.
It can also be viewed online at

   http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-45.html

Functionality added or changed:
    * Binaries for the Linux x86 statically linked tar.gz Community
      package were linked dynamically, not statically. Static
      linking has been re-enabled.
      (Bug#29617: http://bugs.mysql.com/29617)

Functionality added or changed from 5.0.44 (Enterprise version):
    * A new status variable, Com_call_procedure, indicates the
      number of calls to stored procedures.
      (Bug#27994: http://bugs.mysql.com/27994)
    * NDB Cluster: The server source tree now includes scripts to
      simplify building MySQL with SCI support. For more information
      about SCI interconnects and these build scripts, see Section
      15.9.1, "Configuring MySQL Cluster to use SCI Sockets."
      (Bug#25470: http://bugs.mysql.com/25470)

Functionality added or changed from 5.0.42 (Enterprise version):
    * Prior to this release, when DATE values were compared with
      DATETIME values the time portion of the DATETIME value was
      ignored. Now a DATE value is coerced to the DATETIME type by
      adding the time portion as "00:00:00". To mimic the old
      behavior use the CAST() function in the following way: SELECT
      date_field = CAST(NOW() as DATE);. (Bug# 28929)

Bugs fixed:
    * Binaries for the Linux x86 statically linked tar.gz Community
      package were linked dynamically, not statically. Static
      linking has been re-enabled.
      (Bug#29617: http://bugs.mysql.com/29617)
    * Potential memory leaks in the SHOW PROFILE implementation were
      eliminated. (Bug#24795: http://bugs.mysql.com/24795)
    * Times displayed by SHOW PROFILE were incorrectly associated
      with the profile entry one later than the corrrect one.
      (Bug#27060: http://bugs.mysql.com/27060)
    * SHOW PROFILE hung if executed before enabling the @@profiling
      session variable. (Bug#26938: http://bugs.mysql.com/26938)

Bug fixes from 5.0.44 (Enterprise version):
    * Security fix: A malformed password packet in the connection
      protocol could cause the server to crash. Thanks for Dormando
      for reporting this bug and providing details and a proof of
      concept. (Bug#28984: http://bugs.mysql.com/28984)
    * Security Fix: CREATE TABLE LIKE did not require any privileges
      on the source table. (Bug#25578: http://bugs.mysql.com/25578)
      In addition, CREATE TABLE LIKE was not isolated from
      alteration by other connections, which resulted in various
      errors and incorrect binary log order when trying to execute
      concurrently a CREATE TABLE LIKE statement and either DDL
      statements on the source table or DML or DDL statements on the
      target table. (Bug#23667: http://bugs.mysql.com/23667)
    * Incompatible change: The use of an ORDER BY or DISTINCT clause
      with a query containing a call to the GROUP_CONCAT() function
      caused results from previous queries to be redisplayed in the
      current result. The fix for this includes replacing a BLOB
      value used internally for sorting with a VARCHAR. This means
      that for long results (more than 65,535 bytes), it is possible
      for truncation to occur; if so, an appropriate warning is
      issued. (Bug#23856: http://bugs.mysql.com/23856,
      Bug#28273: http://bugs.mysql.com/28273)
    * NDB Cluster: A race condition could result when non-master
      nodes (in addition to the master node) tried to update active
      status due to a local checkpoint. Now only the master updates
      the active status. (Bug#28717: http://bugs.mysql.com/28717)
    * NDB Cluster: The actual value of MaxNoOfOpenFiles as used by
      the cluster was offset by 1 from the value set in config.ini.
      This meant that setting InitialNoOpenFilesto the same value
      always caused an error.
      (Bug#28749: http://bugs.mysql.com/28749)
    * NDB Cluster: A fast global checkpoint under high load with a
      high usage of the redo buffer caused data nodes to fail.
      (Bug#28653: http://bugs.mysql.com/28653)
    * NDB Cluster: UPDATE IGNORE statements involving the primary
      keys of multiple tables could result in data corruption.
      (Bug#28719: http://bugs.mysql.com/28719)
    * NDB Cluster : A corrupt schema file could cause a File already
      open error. (Bug#28770: http://bugs.mysql.com/28770)
    * NDB Cluster: When an API node sent more than 1024 signals in a
      single batch, NDB would process only the first 1024 of these,
      and then hang. (Bug#28443: http://bugs.mysql.com/28443)
    * NDB Cluster: A failure to release internal resources following
      an error could lead to problems with single user mode.
      (Bug#25818: http://bugs.mysql.com/25818)
    * NDB Cluster: A delay in obtaining AUTO_INCREMENT IDs could
      lead to excess temporary errors.
      (Bug#28410: http://bugs.mysql.com/28410)
    * The -lmtmalloc library was removed from the output of
      mysql_config on Solaris, as it caused problems when building
      DBD::mysql (and possibly other applications) on that platform
      that tried to use dlopen() to access the client library.
      (Bug#18322: http://bugs.mysql.com/18322)
    * On Windows, connection handlers did not properly decrement the
      server's thread count when exiting.
      (Bug#25621: http://bugs.mysql.com/25621)
    * On Windows, USE_TLS was not defined for mysqlclient.lib.
      (Bug#28860: http://bugs.mysql.com/28860)
    * INSERT .. ON DUPLICATE KEY UPDATE could under some
      circumstances silently update rows when it should not have.
      (Bug#28904: http://bugs.mysql.com/28904)
    * Connections from one mysqld server to another failed on Mac OS
      X, affecting replication and FEDERATED tables.
      (Bug#26664: http://bugs.mysql.com/26664)
    * The "manager thread" of the LinuxThreads implementation was
      unintentionally started before mysqld had dropped privileges
      (to run as an unprivileged user). This caused signaling
      between threads in mysqld to fail when the privileges were
      finally dropped. (Bug#28690: http://bugs.mysql.com/28690)
    * A query that grouped by the result of an expression returned a
      different result when the expression was assigned to a user
      variable. (Bug#28494: http://bugs.mysql.com/28494)
    * The result of evaluation for a view's CHECK OPTION option over
      an updated record and records of merged tables was arbitrary
      and dependant on the order of records in the merged tables
      during the execution of the SELECT statement.
      (Bug#28716: http://bugs.mysql.com/28716)
    * Outer join queries with ON conditions over constant outer
      tables did not return NULL-complemented rows when conditions
      were evaluated to FALSE.
      (Bug#28571: http://bugs.mysql.com/28571)
    * An update on a multiple-table view with the CHECK OPTION
      clause and a subquery in the WHERE condition could cause an
      assertion failure. (Bug#28561: http://bugs.mysql.com/28561)
    * mysql_affected_rows() could return an incorrect result for
      INSERT ... ON DUPLICATE KEY UPDATE if the CLIENT_FOUND_ROWS
      flag was set. (Bug#28505: http://bugs.mysql.com/28505)
    * Storing a large number into a FLOAT or DOUBLE column with a
      fixed length could result in incorrect truncation of the
      number if the columns's length was greater than 31.
      (Bug#28121: http://bugs.mysql.com/28121)
    * HASH indexes on VARCHAR columns with binary collations did not
      ignore trailing spaces from strings before comparisons. This
      could result in duplicate records being successfully inserted
      into a MEMORY table with unique key constraints. A consequence
      was that internal MEMORY tables used for GROUP BY calculation
      contained duplicate rows that resulted in duplicate-key errors
      when converting those temporary tables to MyISAM, and that
      error was incorrectly reported as a table is full error.
      (Bug#27643: http://bugs.mysql.com/27643)
    * ON conditions from JOIN expressions were ignored when checking
      the CHECK OPTION clause while updating a multiple-table view
      that included such a clause.
      (Bug#27827: http://bugs.mysql.com/27827)
    * The IS_UPDATABLE column in the INFORMATION_SCHEMA.VIEWS table
      was not always set correctly.
      (Bug#28266: http://bugs.mysql.com/28266)
    * For CAST() of a NULL value with type DECIMAL, the return value
      was incorrectly initialized, producing a runtime error for
      binaries built using Visual C++ 2005.
      (Bug#28250: http://bugs.mysql.com/28250)
    * DECIMAL values beginning with nine 9 digits could be
      incorrectly rounded. (Bug#27984: http://bugs.mysql.com/27984)
    * For debug builds, ALTER TABLE could trigger an assertion
      failure due to occurrence of a deadlock when committing
      changes. (Bug#28652: http://bugs.mysql.com/28652)
    * Searches on indexed and non-indexed ENUM columns could return
      different results for empty strings.
      (Bug#28729: http://bugs.mysql.com/28729)
    * If a stored function or trigger was killed, it aborted but no
      error was thrown, allowing the calling statement to continue
      without noticing the problem. This could lead to incorrect
      results. (Bug#27563: http://bugs.mysql.com/27563)
    * When ALTER TABLE was used to add a new DATE column with no
      explicit default value, '0000-00-00' was used as the default
      even if the SQL mode included the NO_ZERO_DATE mode to
      prohibit that value. A similar problem occurred for DATETIME
      columns. (Bug#27507: http://bugs.mysql.com/27507)
    * Statements within triggers ignored the value of the
      low_priority_updates system variable.
      (Bug#26162: http://bugs.mysql.com/26162)
    * Queries that used UUID() were incorrectly allowed into the
      query cache. (This should not happen because UUID() is
      non-deterministic.) (Bug#28897: http://bugs.mysql.com/28897)
    * The Bytes_received and Bytes_sent status variables could hold
      only 32-bit values (not 64-bit values) on some platforms.
      (Bug#28149: http://bugs.mysql.com/28149)
    * Passing a DECIMAL value as a parameter of a statement prepared
      with PREPARE resulted in an error.
      (Bug#28509: http://bugs.mysql.com/28509)
    * For attempts to open a non-existent table, the server should
      report ER_NO_SUCH_TABLE but sometimes reported
      ER_TABLE_NOT_LOCKED. (Bug#27907: http://bugs.mysql.com/27907)
    * Due to a race condition, executing FLUSH PRIVILEGES in one
      thread could cause brief table unavailability in other
      threads. (Bug#24988: http://bugs.mysql.com/24988)
    * Conversion errors could occur when constructing the condition
      for an IN predicate. The predicate was treated as if the
      affected column contains NULL, but if the IN predicate is
      inside NOT, incorrect results could be returned.
      (Bug#22855: http://bugs.mysql.com/22855)
    * Linux binaries were unable to dump core after executing a
      setuid() call. (Bug#21723: http://bugs.mysql.com/21723)
    * Using up-arrow for command-line recall in mysql* could cause a
      segmentation fault. (Bug#10218: http://bugs.mysql.com/10218)
    * Long pathnames for internal temporary tables could cause stack
      overflows. (Bug#29015: http://bugs.mysql.com/29015)
    * If a program binds a given number of parameters to a prepared
      statement handle and then somehow changes stmt->param_count to
      a different number, mysql_stmt_execute() could crash the
      client or server. (Bug#28934: http://bugs.mysql.com/28934)
    * Using a VIEW created with a non-existing DEFINER could lead to
      incorrect results under some circumstances.
      (Bug#28895: http://bugs.mysql.com/28895)
    * An error occurred trying to connect to mysqld-debug.exe.
      (Bug#27597: http://bugs.mysql.com/27597)
    * Using an INTEGER column from a table to ROUND() a number
      produced different results than using a constant with the same
      value as the INTEGER column. (Bug# 28980)
    * InnoDB tables using an indexed CHAR column with utf8 as the
      default character set could fail to return the right rows.
      (Bug#28878: http://bugs.mysql.com/28878)
    * Using BETWEEN with non-indexed date columns and short formats
      of the date string could return incorrect results.
      (Bug#28778: http://bugs.mysql.com/28778)
    * Granting access privileges to an individual table where the
      database or table name contained an underscore would fail.
      (Bug#18660: http://bugs.mysql.com/18660)
    * A subquery with ORDER BY and LIMIT 1 could cause a server
      crash. (Bug#28811: http://bugs.mysql.com/28811)
    * Selecting GEOMETRY columns in a UNION caused a server crash.
      (Bug#28763: http://bugs.mysql.com/28763)
    * mysqltest used a too-large stack size on PPC/Debian Linux,
      causing thread-creation failure for tests that use many
      threads. (Bug#28333: http://bugs.mysql.com/28333)
    * When constructing the path to the original .frm file, ALTER ..
      RENAME was unnecessarily (and incorrectly) lowercasing the
      entire path when not on a case-insensitive filesystem, causing
      the statement to fail.
      (Bug#28754: http://bugs.mysql.com/28754)
    * PURGE MASTER LOGS BEFORE (subquery) caused a server crash.
      Subqueries are forbidden in the BEFORE clause now.
      (Bug#28553: http://bugs.mysql.com/28553)
    * A server crash could happen under rare conditions such that a
      temporary table outgrew heap memory reserved for it and the
      remaining disk space was not big enough to store the table as
      a MyISAM table. (Bug#28449: http://bugs.mysql.com/28449)
    * On some Linux distributions where LinuxThreads and NPTL glibc
      versions both are available, statically built binaries can
      crash because the linker defaults to LinuxThreads when linking
      statically, but calls to external libraries (such as libnss)
      are resolved to NPTL versions. This cannot be worked around in
      the code, so instead if a crash occurs on such a binary/OS
      combination, print an error message that provides advice about
      how to fix the problem.
      (Bug#24611: http://bugs.mysql.com/24611)
    * Stack overflow caused server crashes.
      (Bug#21476: http://bugs.mysql.com/21476)
    * The test case for mysqldump failed with bin-log disabled.
      (Bug#28372: http://bugs.mysql.com/28372)
    * Comparing a DATETIME column value with a user variable yielded
      incorrect results. (Bug# 28261)
    * Comparison of the string value of a date showed as unequal to
      CURTIME(). Similar behavior was exhibited for DATETIME values.
      (Bug# 28208)
    * Implicit conversion of 9912101 to DATE did not match
      CAST(9912101 AS DATE).
      (Bug#23093: http://bugs.mysql.com/23093)
    * The check-cpu script failed to detect AMD64 Turion processors
      correctly. (Bug#17707: http://bugs.mysql.com/17707)
    * After an upgrade, the names of stored routines referenced by
      views were no longer displayed by SHOW CREATE VIEW. This was a
      regression introduced by the fix for
      Bug#23491: http://bugs.mysql.com/23491.
      (Bug#28605: http://bugs.mysql.com/28605)
    * Killing from one connection a long-running EXPLAIN QUERY
      started from another connection caused mysqld to crash.
      (Bug#28598: http://bugs.mysql.com/28598)
    * Subselects returning LONG values in MySQL versions later than
      5.0.24a returned LONGLONG prior to this. The previous behavior
      was restored. This issue was introduced by the fix for
      Bug#19714: http://bugs.mysql.com/19714.
      (Bug#28492: http://bugs.mysql.com/28492)
    * A buffer overflow could occur when using DECIMAL columns on
      Windows operating systems.
      (Bug#28361: http://bugs.mysql.com/28361)
    * Executing EXPLAIN EXTENDED on a query using a derived table
      over a grouping subselect could lead to a server crash. This
      occurred only when materialization of the derived tables
      required creation of an auxiliary temporary table, an example
      being when a grouping operation was carried out with usage of
      a temporary table. (Bug#28728: http://bugs.mysql.com/28728)
    * Binary logging of prepared statements could produce
      syntactically incorrect queries in the binary log, replacing
      some parameters with variable names rather than variable
      values. This could lead to incorrect results on replication
      slaves. (Bug#12826: http://bugs.mysql.com/12826,
      Bug#26842: http://bugs.mysql.com/26842)
    * Selecting MIN() on an indexed column that contained only NULL
      values caused NULL to be returned for other result columns.
      (Bug#27573: http://bugs.mysql.com/27573)
    * mysql_upgrade failed if certain SQL modes were set. Now it
      sets the mode itself to avoid this problem.
      (Bug#28401: http://bugs.mysql.com/28401)
    * Some test suite files were missing from some MySQL-test
      packages. (Bug#26609: http://bugs.mysql.com/26609)
    * When dumping procedures, mysqldump --compact generated output
      that restored the session variable SQL_MODE without first
      capturing it. When dumping routines, mysqldump --compact
      neither set nor retrieved the value of SQL_MODE.
      (Bug#28223: http://bugs.mysql.com/28223)
    * Attempting to LOAD_FILE from an empty floppy drive under
      Windows, caused the server to hang. For example, if you opened
      a connection to the server and then issued the command SELECT
      LOAD_FILE('a:test');, with no floppy in the drive, the server
      was inaccessible until the modal pop-up dialog box was
      dismissed. (Bug#28366: http://bugs.mysql.com/28366)
    * mysqldump calculated the required memory for a hex-blob string
      incorrectly causing a buffer overrun. This in turn caused
      mysqldump to crash silently and produce incomplete output.
      (Bug#28522: http://bugs.mysql.com/28522)
    * The query SELECT '2007-01-01' + INTERVAL column_name DAY FROM
      table_name caused mysqld to fail.
      (Bug#28450: http://bugs.mysql.com/28450)
    * The result of executing of a prepared statement created with
      PREPARE s FROM "SELECT 1 LIMIT ?" was not replicated
      correctly. (Bug#28464: http://bugs.mysql.com/28464)
    * The second execution of a prepared statement from a UNION
      query with ORDER BY RAND() caused the server to crash. This
      problem could also occur when invoking a stored procedure
      containing such a query.
      (Bug#27937: http://bugs.mysql.com/27937)
    * Trying to shut down the server following a failed LOAD DATA
      INFILE caused mysqld to crash.
      (Bug#17233: http://bugs.mysql.com/17233)
    * Running CHECK TABLE concurrently with a SELECT, INSERT or
      other statement on Windows could corrupt a MyISAM table.
      (Bug#25712: http://bugs.mysql.com/25712)
    * The error message for error number 137 did not report which
      database/table combination reported the problem.
      (Bug#27173: http://bugs.mysql.com/27173)
    * Forcing the use of an index on a SELECT query when the index
      had been disabled would raise an error without running the
      query. The query now executes, with a warning generated noting
      that the use of a disabled index has been ignored.
      (Bug#28476: http://bugs.mysql.com/28476)
    * Using CREATE TABLE LIKE ... would raise an assertion when
      replicated to a slave.
      (Bug#18950: http://bugs.mysql.com/18950)
    * When using transactions and replication, shutting down the
      master in the middle of a transaction would cause all slaves
      to stop replicating. (Bug#22725: http://bugs.mysql.com/22725)
    * Recreating a view that already exists on the master would
      cause a replicating slave to terminate replication with a
      'different error message on slave and master' error.
      (Bug#28244: http://bugs.mysql.com/28244)
    * CURDATE() is less than NOW(), either when comparing CURDATE()
      directly (CURDATE() < NOW() is true) or when casting CURDATE()
      to DATE (CAST(CURDATE() AS DATE) < NOW() is true). However,
      storing CURDATE() in a DATE column and comparing col_name <
      NOW() incorrectly yielded false. This is fixed by comparing a
      DATE column as DATETIME for comparisons to a DATETIME
      constant. (Bug#21103: http://bugs.mysql.com/21103)
    * For dates with 4-digit year parts less than 200, an incorrect
      implicit conversion to add a century was applied for date
      arithmetic performed with DATE_ADD(), DATE_SUB(), + INTERVAL,
      and - INTERVAL. (For example, DATE_ADD('0050-01-01 00:00:00',
      INTERVAL 0 SECOND) became '2050-01-01 00:00:00'.)
      (Bug#18997: http://bugs.mysql.com/18997)
    * The result for CAST() when casting a value to UNSIGNED was
      limited to the maximum signed BIGINT value, not the maximum
      unsigned value. (Bug#8663: http://bugs.mysql.com/8663)
    * A stored program that uses a variable name containing
      multibyte characters could fail to execute.
      (Bug#27876: http://bugs.mysql.com/27876)
    * The BLACKHOLE storage engine does not support INSERT DELAYED
      statements, but they were not being rejected.
      (Bug#27998: http://bugs.mysql.com/27998)
    * EXPLAIN for a query on an empty table immediately after its
      creation could result in a server crash.
      (Bug#28272: http://bugs.mysql.com/28272)
    * Grouping queries with correlated subqueries in WHERE
      conditions could produce incorrect results.
      (Bug#28337: http://bugs.mysql.com/28337)
    * libmysql.dll could not be dynamically loaded on Windows.
      (Bug#28358: http://bugs.mysql.com/28358)
    * Portability problems caused by use of isinf() were corrected.
      (Bug#28240: http://bugs.mysql.com/28240)
    * Using a TEXT local variable in a stored routine in an
      expression such as SET var = SUBSTRING(var, 3) produced an
      incorrect result. (Bug#27415: http://bugs.mysql.com/27415)
    * A large filesort could result in a division by zero error and
      a server crash. (Bug#27119: http://bugs.mysql.com/27119)

Bug fixes from 5.0.42 (Enterprise version):
    * Security fix: Use of a view could allow a user to gain update
      privileges for tables in other databases.
      (Bug#27878: http://bugs.mysql.com/27878)
    * Security fix: If a stored routine was declared using SQL
      SECURITY INVOKER, a user who invoked the routine could gain
      privileges. (Bug#27337: http://bugs.mysql.com/27337)
    * Security fix: The requirement of the DROP privilege for RENAME
      TABLE was not being enforced.
      (Bug#27515: http://bugs.mysql.com/27515)
    * NDB Cluster: Repeated insertion of data generated by mysqldump
      into NDB tables could eventually lead to failure of the
      cluster. (Bug#27437: http://bugs.mysql.com/27437)
    * NDB Cluster: ndb_connectstring did not appear in the output of
      SHOW VARIABLES. (Bug#26675: http://bugs.mysql.com/26675)
    * NDB Cluster: INSERT IGNORE wrongly ignored NULL values in
      unique indexes. (Bug#27980: http://bugs.mysql.com/27980)
    * NDB Cluster: The name of the month "March" was given
      incorrectly in the cluster error log.
      (Bug#27926: http://bugs.mysql.com/27926)
    * NDB Cluster (APIs): For BLOB reads on operations with lock
      mode LM_CommittedRead, the lock mode was not upgraded to
      LM_Read before the state of the BLOB had already been
      calculated. The NDB API methods affected by this problem
      included the following:
         + NdbOperation::readTuple()
         + NdbScanOperation::readTuples()
         + NdbIndexScanOperation::readTuples()
      (Bug#27320: http://bugs.mysql.com/27320)
    * NDB Cluster: The cluster waited 30 seconds instead of 30
      milliseconds before reading table statistics.
      (Bug#28093: http://bugs.mysql.com/28093)
    * NDB Cluster: It was not possible to add a unique index to an
      NDB table while in single user mode.
      (Bug#27710: http://bugs.mysql.com/27710)
    * The server could abort or deadlock for INSERT DELAYED
      statements for which another insert was performed implicitly
      (for example, via a stored function that inserted a row).
      (Bug#21483: http://bugs.mysql.com/21483)
    * The server could hang for INSERT IGNORE ... ON DUPLICATE KEY
      UPDATE if an update failed.
      (Bug#28000: http://bugs.mysql.com/28000)
    * Quoted labels in stored routines were mishandled, rendering
      the routines unusable.
      (Bug#21513: http://bugs.mysql.com/21513)
    * Changes to some system variables should invalidate statements
      in the query cache, but invalidation did not happen.
      (Bug#27792: http://bugs.mysql.com/27792)
    * Flow control optimization in stored routines could cause
      exception handlers to never return or execute incorrect logic.
      (Bug#26977: http://bugs.mysql.com/26977)
    * An attempt to execute CREATE TABLE ... SELECT when a temporary
      table with the same name already existed led to the insertion
      of data into the temporary table and creation of an empty
      non-temporary table. (Bug#24508: http://bugs.mysql.com/24508)
    * Concurrent execution of CREATE TABLE ... SELECT and other
      statements involving the target table suffered from various
      race conditions, some of which might have led to deadlocks.
      (Bug#24738: http://bugs.mysql.com/24738)
    * CREATE TABLE IF NOT EXISTS ... SELECT caused a server crash if
      the target table already existed and had a BEFORE INSERT
      trigger. (Bug#20903: http://bugs.mysql.com/20903)
    * Deadlock occurred for attempts to execute CREATE TABLE IF NOT
      EXISTS ... SELECT when LOCK TABLES had been used to acquire a
      read lock on the target table.
      (Bug#20662: http://bugs.mysql.com/20662)
    * CAST() to DECIMAL did not check for overflow.
      (Bug#27957: http://bugs.mysql.com/27957)
    * Views ignored precision for CAST() operations.
      (Bug#27921: http://bugs.mysql.com/27921)
    * For InnoDB, in some rare cases the optimizer preferred a more
      expensive ref access to a less expensive range access.
      (Bug#28189: http://bugs.mysql.com/28189)
    * A query with a NOT IN subquery predicate could cause a crash
      when the left operand of the predicate evaluated to NULL.
      (Bug#28375: http://bugs.mysql.com/28375)
    * The fix for Bug#17212: http://bugs.mysql.com/17212 provided
      correct sort order for misordered output of certain queries,
      but caused significant overall query performance degradation.
      (Results were correct (good), but returned much more slowly
      (bad).) The fix also affected performance of queries for which
      results were correct. The performance degradation has been
      addressed. (Bug#27531: http://bugs.mysql.com/27531)
    * For INSERT ... ON DUPLICATE KEY UPDATE statements that
      affected many rows, updates could be applied to the wrong
      rows. (Bug#27954: http://bugs.mysql.com/27954)
    * Comparisons of DATE or DATETIME values for the IN() function
      could yield incorrect results.
      (Bug#28133: http://bugs.mysql.com/28133)
    * LOAD DATA did not use CURRENT_TIMESTAMP as the default value
      for a TIMESTAMP column for which no value was provided.
      (Bug#27670: http://bugs.mysql.com/27670)
    * SELECT COUNT(*) from a table containing a DATETIME NOT NULL
      column could produce spurious warnings with the NO_ZERO_DATE
      SQL mode enabled. (Bug#22824: http://bugs.mysql.com/22824)
    * Nested aggregate functions could be improperly evaluated.
      (Bug#27363: http://bugs.mysql.com/27363)
    * Using CAST() to convert DATETIME values to numeric values did
      not work. (Bug#23656: http://bugs.mysql.com/23656)
    * Early NULL-filtering optimization did not work for eq_ref
      table access. (Bug#27939: http://bugs.mysql.com/27939)
    * Non-grouped columns were allowed by * in ONLY_FULL_GROUP_BY
      SQL mode. (Bug#27874: http://bugs.mysql.com/27874)
    * Debug builds on Windows generated false alarms about
      uninitialized variables with some Visual Studio runtime
      libraries. (Bug#27811: http://bugs.mysql.com/27811)
    * mysqld did not check the length of option values and could
      crash with a buffer overflow for long values.
      (Bug#27715: http://bugs.mysql.com/27715)
    * Index hints (USE INDEX, IGNORE INDEX, FORCE INDEX) cannot be
      used with FULLTEXT indexes, but were not being ignored.
      (Bug#25951: http://bugs.mysql.com/25951)
    * mysql_upgrade did not detect failure of external commands that
      it runs. (Bug#26639: http://bugs.mysql.com/26639)
    * mysql_upgrade did not pass a password to mysqlcheck if one was
      given. (Bug#25452: http://bugs.mysql.com/25452)
    * On Windows, mysql_upgrade was sensitive to lettercase of the
      names of some required components.
      (Bug#25405: http://bugs.mysql.com/25405)
    * The result set of a query that used WITH ROLLUP and DISTINCT
      could lack some rollup rows (rows with NULL values for
      grouping attributes) if the GROUP BY list contained constant
      expressions. (Bug#24856: http://bugs.mysql.com/24856)
    * Some upgrade problems are detected and better error messages
      suggesting that mysql_upgrade be run are produced.
      (Bug#24248: http://bugs.mysql.com/24248)
    * A performance degradation was observed for outer join queries
      to which a not-exists optimization was applied.
      (Bug#28188: http://bugs.mysql.com/28188)
    * SELECT * INTO OUTFILE ... FROM INFORMATION_SCHEMA.schemata
      failed with an Access denied error, even for a user who has
      the FILE privilege. (Bug#28181: http://bugs.mysql.com/28181)
    * Certain queries that used uncorrelated scalar subqueries
      caused EXPLAIN to to crash.
      (Bug#27807: http://bugs.mysql.com/27807)
    * INSERT...ON DUPLICATE KEY UPDATE could cause Error 1032: Can't
      find record in ... for inserts into an InnoDB table unique
      index using key column prefixes with an underlying utf8 string
      column. (Bug#13191: http://bugs.mysql.com/13191)
    * On Linux, the server could not create temporary tables if
      lower_case_table_names was set to 1 and the value of tmpdir
      was a directory name containing any uppercase letters.
      (Bug#27653: http://bugs.mysql.com/27653)
    * A slave that used --master-ssl-cipher could not connect to the
      master. (Bug#21611: http://bugs.mysql.com/21611)
    * mysqldump crashed if it got no data from SHOW CREATE PROCEDURE
      (for example, when trying to dump a routine defined by a
      different user and for which the current user had no
      privileges). Now it prints a comment to indicate the problem.
      It also returns an error, or continues if the --force option
      is given. (Bug#27293: http://bugs.mysql.com/27293)
    * Several math functions produced incorrect results for large
      unsigned values. ROUND() produced incorrect results or a crash
      for a large number-of-decimals argument.
      (Bug#24912: http://bugs.mysql.com/24912)
    * For storage engines that allow the current auto-increment
      value to be set, using ALTER TABLE ... ENGINE to convert a
      table from one such storage engine to another caused loss of
      the current value. (For storage engines that do not support
      setting the value, it cannot be retained anyway when changing
      the storage engine.) (Bug#25262: http://bugs.mysql.com/25262)
    * Comparison of a DATE with a DATETIME did not treat the DATE as
      having a time part of 00:00:00.
      (Bug#27590: http://bugs.mysql.com/27590)
    * A multiple-table UPDATE could return an incorrect rows-matched
      value if, during insertion of rows into a temporary table, the
      table had to be converted from a MEMORY table to a MyISAM
      table. (Bug#22364: http://bugs.mysql.com/22364)
    * The omission of leading zeros in dates could lead to erroneous
      results when these were compared with the output of certain
      date and time functions.
      (Bug#16377: http://bugs.mysql.com/16377)
    * If CREATE TABLE t1 LIKE t2 failed due to a full disk, an empty
      t2.frm file could be created but not removed. This file then
      caused subsequent attempts to create a table named t2 to fail.
      This is easily corrected at the filesystem level by removing
      the t2.frm file manually, but now the server removes the file
      if the create operation does not complete successfully.
      (Bug#25761: http://bugs.mysql.com/25761)
    * The MERGE storage engine could return incorrect results when
      several index values that compare equality were present in an
      index (for example, 'gross' and 'gross ', which are considered
      equal but have different lengths).
      (Bug#24342: http://bugs.mysql.com/24342)
    * For InnoDB tables, a multiple-row INSERT of the form INSERT
      INTO t (id...) VALUES (NULL...) ON DUPLICATE KEY UPDATE
      id=VALUES(id), where id is an AUTO_INCREMENT column, could
      cause ERROR 1062 (23000): Duplicate entry... errors or lost
      rows. (Bug#27650: http://bugs.mysql.com/27650)
    * mysql_install_db is supposed to detect existing system tables
      and create only those that do not exist. Instead, it was
      exiting with an error if tables already existed.
      (Bug#27783: http://bugs.mysql.com/27783)
    * Failure to allocate memory associated with
      transaction_prealloc_size could cause a server crash.
      (Bug#27322: http://bugs.mysql.com/27322)
    * Aborting a statement on the master that applied to a
      non-transactional statement broke replication. The statement
      was written to the binary log but not completely executed on
      the master. Slaves receiving the statement executed it
      completely, resulting in loss of data synchrony. Now an error
      code is written to the error log so that the slaves stop
      without executing the aborted statement. (That is, replication
      stops, but synchrony to the point of the stop is preserved and
      you can investigate the problem.)
      (Bug#26551: http://bugs.mysql.com/26551)
    * The AUTO_INCREMENT value would not be correctly reported for
      InnoDB tables when using SHOW CREATE TABLE statement or
      mysqldump command. (Bug#23313: http://bugs.mysql.com/23313)
    * Creating a temporary table with InnoDB when using the
      one-file-per-table setting, when the host filesystem for
      temporary tables is tmpfs would cause an assertion within
      mysqld. This was due to the use of O_DIRECT when opening the
      temporary table file. (Bug#26662: http://bugs.mysql.com/26662)
    * An interaction between SHOW TABLE STATUS and other concurrent
      statements that modify the table could result in a
      divide-by-zero error and a server crash.
      (Bug#27516: http://bugs.mysql.com/27516)
    * mysqldump could not connect using SSL.
      (Bug#27669: http://bugs.mysql.com/27669)
    * yaSSL crashed on pre-Pentium Intel CPUs.
      (Bug#21765: http://bugs.mysql.com/21765)
    * Comparisons using row constructors could fail for rows
      containing NULL values.
      (Bug#27704: http://bugs.mysql.com/27704)
    * Performing a UNION on two views that had had ORDER BY clauses
      resulted in an Unknown column error.
      (Bug#27786: http://bugs.mysql.com/27786)
    * The CRC32() function returns an unsigned integer, but the
      metadata was signed, which could cause certain queries to
      return incorrect results. (For example, queries that selected
      a CRC32() value and used that value in the GROUP BY clause.)
      (Bug#27530: http://bugs.mysql.com/27530)
    * A race condition between DROP TABLE and SHOW TABLE STATUS
      could cause the latter to display incorrect information.
      (Bug#27499: http://bugs.mysql.com/27499)
    * mysqldump would not dump a view for which the DEFINER no
      longer exists. (Bug#26817: http://bugs.mysql.com/26817)
    * Changing a utf8 column in an InnoDB table to a shorter length
      did not shorten the data values.
      (Bug#20095: http://bugs.mysql.com/20095)
    * Using SET GLOBAL to change the lc_time_names system variable
      had no effect on new connections.
      (Bug#22648: http://bugs.mysql.com/22648)
    * The XML output representing an empty result was an empty
      string rather than an empty <resultset/> element.
      (Bug#27608: http://bugs.mysql.com/27608)
    * mysqlbinlog produced different output with the -R option than
      without it. (Bug#27171: http://bugs.mysql.com/27171)
    * A stored function invocation in the WHERE clause was treated
      as a constant. (Bug#27354: http://bugs.mysql.com/27354)
    * For queries that used ORDER BY with InnoDB tables, if the
      optimizer chose an index for accessing the table but found a
      covering index that enabled the ORDER BY to be skipped, no
      results were returned.
      (Bug#24778: http://bugs.mysql.com/24778)
    * Having the EXECUTE privilege for a routine in a database
      should make it possible to USE that database, but the server
      returned an error instead. This has been corrected. As a
      result of the change, SHOW TABLES for a database in which you
      have only the EXECUTE privilege returns an empty set rather
      than an error. (Bug#9504: http://bugs.mysql.com/9504)
    * Some views could not be created even when the user had the
      requisite privileges. (Bug#24040: http://bugs.mysql.com/24040)
    * Restoration of the default database after stored routine or
      trigger execution on a slave could cause replication to stop
      if the database no longer existed.
      (Bug#25082: http://bugs.mysql.com/25082)

- -- 
Daniel Fischer, Product Engineer           +46 18174400 ext. 4537
MySQL GmbH, Radlkoferstr. 2, D-81373 Muenchen       www.mysql.com
Geschaeftsfuehrer: Kaj Arnoe                  HRB Muenchen 162140
Are you MySQL certified? mysql.com/certification    49.011, 8.376

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRp1I6Ch9+71yA2DNAQIp+QP+MzYNJPkHHKRFra1HRbcSrin192cPvsZX
tpg8krxeYACtnDjlG5Q9uDiz2m8ydpR4+sffhdZ5J0stp/PndG7uK8nh07GjA81x
RYL0K36W82nZcyxOGlBXQM75sclslEfuELde4qgTLDIoQBux1XHMPr99XtF9Bs+i
2dIGDXuzo7w=
=SKAe
-----END PGP SIGNATURE-----