MySQL versions prior to 5.1.51 (including 5.1.50) suffer from a vulnerability in the processing of arguments passed to the LEAST()or GREATEST() functions. This issue could be exploited by a malicious user to cause a server crash, leading to a DoS condition.
You really should upgrade your Lenny servers (amd64 or i386) with the new packages of MySQL 5.1.51 from Dotdeb. As usual, don’t forget to read the Changelog before upgrading.
15 replies on “Upgrade to MySQL 5.1.51! It fixes a DoS vulnerability”
I have installed phpMyAdmin, But it says :
———————-
Your PHP MySQL library version 5.0.51a differs from your MySQL server version 5.1.51. This may cause unpredictable behavior.
———————-
Please fix it.
@Mostafa : as said many times on this blog, 5.0.51a is just the version of the libmysqlclient library PHP was built with. Don’t worry about that delta between the client side and the server side, it does not affect the PHP behaviour.
If only you offered your MySQL packages with Percona’s edits. 😉
Would there be plan to move to version 5.1.6+? I’m more interested in “event scheduler” feature – http://dev.mysql.com/doc/refman/5.1/en/events.html.
keep up the good works!
@terri : the event scheduler is part of MySQL as of MySQL 5.1.6, then MySQL 5.1.51 has it.
Any chance to packaging 5.1.52 – there is a problematic critical issue with 5.1.51
http://bugs.mysql.com/bug.php?id=57255
Many thanks! (In the meantime I will downgrade)
@Jools : yes, as soon as it’s available in Debian unstable/experimental.
In some cases as people are running dotdeb on production machines, would it not be good also
to provide new packages when serious bugs occur without waiting for debian ?
I’ve just upgraded mine manually. For anyone else that this bug is affecting you can upgrade without too much trouble (takes some time to build/run the automated tests though).
download mysql-5.1.52.tar.gz from mysql.com
then
apt-get source mysql-server-5.1
apt-get build-dep mysql-server-5.1
cd mysql-5.1-5.1.51
uupdate ../mysql-5.1.52.tar.gz
cd ../mysql-5.1-5.1.52
debuild -i -us -uc -b
packages created in the parent folder.
Since new versions can introduce serious problems, I also think it would be a good idea
to include older builds on the dotdeb machines. This would give users the option of downgrading
should a problem occur (at their own risk of course).
Thanks for listening. dotdeb is a much appreciated effort/resource.
Hi Guillaume,
I am trying to upgrade a 5.1.34 dotdeb installation to 5.1.51.
I have run following command : “apt-get upgrade mysql-server mysql-client libmysqlclient16 mysql-common”
It seems that apt want to keep my old server :
“The following packages have been kept back:
libpurple0 mysql-server-5.1 pidgin”
Could you specify few steps required to achieve this slight upgrade ?
Many thanks for your great work
@yaw : use a decent package manager, such as dselect, aptitude or synaptic to resolve the dependency issue.
Perhaps you should install mysql-server-core-5.1. The libpurple0 ans pidgin packages have nothing to deal with Dotdeb.
There’s a pretty bad bug in .51 that causes foreign keys to break in some scenarios ( eg magento stores ) that stops you deleting rows with constraints.
http://bugs.mysql.com/bug.php?id=57255
It has been fixed now – i compiled the .53 srouce and the issue has gone away for me.
A dotdeb package would be much appreciated however!
dave: see above. I also gave instructions on upgrading.
jools, yes i followed those but for 53 and it worked fine.
just saying there shud be dotdeb ones so i dont have to do that 😉
just did am aptitude update toady and see there are now .53 packages.
thankyou!
@dave : yes, that was just a matter of (free) time. I’ll post a note about MySQL 5.1.53.