Posted by & filed under MySQL.

MySQL versions prior to 5.1.51 (including 5.1.50) suffer from a vulnerability in the processing of arguments passed to the LEAST()or GREATEST() functions. This issue could be exploited by a malicious user to cause a server crash, leading to a DoS condition.

You really should upgrade your Lenny servers (amd64 or i386) with the new packages of MySQL 5.1.51 from Dotdeb. As usual, don’t forget to read the Changelog before upgrading.

15 Responses to “Upgrade to MySQL 5.1.51! It fixes a DoS vulnerability”

  1. Mostafa

    I have installed phpMyAdmin, But it says :
    ———————-
    Your PHP MySQL library version 5.0.51a differs from your MySQL server version 5.1.51. This may cause unpredictable behavior.
    ———————-

    Please fix it.

    Reply
  2. Guillaume Plessis

    @Mostafa : as said many times on this blog, 5.0.51a is just the version of the libmysqlclient library PHP was built with. Don’t worry about that delta between the client side and the server side, it does not affect the PHP behaviour.

    Reply
  3. Jools

    In some cases as people are running dotdeb on production machines, would it not be good also
    to provide new packages when serious bugs occur without waiting for debian ?

    I’ve just upgraded mine manually. For anyone else that this bug is affecting you can upgrade without too much trouble (takes some time to build/run the automated tests though).

    download mysql-5.1.52.tar.gz from mysql.com

    then

    apt-get source mysql-server-5.1
    apt-get build-dep mysql-server-5.1
    cd mysql-5.1-5.1.51
    uupdate ../mysql-5.1.52.tar.gz
    cd ../mysql-5.1-5.1.52
    debuild -i -us -uc -b

    packages created in the parent folder.

    Since new versions can introduce serious problems, I also think it would be a good idea
    to include older builds on the dotdeb machines. This would give users the option of downgrading
    should a problem occur (at their own risk of course).

    Thanks for listening. dotdeb is a much appreciated effort/resource.

    Reply
  4. yaw

    Hi Guillaume,
    I am trying to upgrade a 5.1.34 dotdeb installation to 5.1.51.

    I have run following command : “apt-get upgrade mysql-server mysql-client libmysqlclient16 mysql-common”

    It seems that apt want to keep my old server :
    “The following packages have been kept back:
    libpurple0 mysql-server-5.1 pidgin”

    Could you specify few steps required to achieve this slight upgrade ?

    Many thanks for your great work

    Reply
  5. Guillaume Plessis

    @yaw : use a decent package manager, such as dselect, aptitude or synaptic to resolve the dependency issue.

    Perhaps you should install mysql-server-core-5.1. The libpurple0 ans pidgin packages have nothing to deal with Dotdeb.

    Reply
  6. Dave

    There’s a pretty bad bug in .51 that causes foreign keys to break in some scenarios ( eg magento stores ) that stops you deleting rows with constraints.

    http://bugs.mysql.com/bug.php?id=57255

    It has been fixed now – i compiled the .53 srouce and the issue has gone away for me.

    A dotdeb package would be much appreciated however!

    Reply
  7. dave

    jools, yes i followed those but for 53 and it worked fine.

    just saying there shud be dotdeb ones so i dont have to do that ;)

    Reply

Leave a Reply

  • (will not be published)


− 4 = four