-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0123
              MySQL Community Server 5.6.4 has been released
                             21 December 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              MySQL prior to 5.6.4
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Denial of Service -- Existing Account
Resolution:           Patch/Upgrade
Member content until: Friday, January 20 2012

OVERVIEW

        A number of bugs have been fixed in MySQL 5.6.4 which could
        potentially be exploited.


IMPACT

        "Previously, MySQL servers from 5.1 and up refused to open ARCHIVE
        tables created in 5.0 because opening them caused a server crash. The
        server now can open 5.0 ARCHIVE tables, and REPAIR TABLE updates them
        to the format used in 5.6. However, the recommended upgrade procedure
        is still to dump 5.0 ARCHIVE tables before upgrading and reload them
        after upgrading. (Bug #48633, Bug #11756687)" [1]
        
        "Security Enhancement: Replication: The START SLAVE statement now accepts
        USER and PASSWORD options. By default, MySQL native authentication is
        used, and the user name and password are stored in the master.info
        repository. This behavior can be overridden by additionally specifying
        the name (DEFAULT_AUTH) and location (PLUGIN_DIR) of an authentication
        plugin when issuing START SLAVE. (Bug #13083642)" [1]
        
        "A derived table with more than 64 columns caused a server crash.
        (Bug #13354889)" [1]
        
        "ARCHIVE tables with NULL columns could cause server crashes or become
        corrupt under concurrent load. (Bug #51252, Bug #11758979)" [1]
        
        "For FEDERATED tables, loss of connection to the remote table during
        some insert operations could cause a server crash. (Bug #34660,
        Bug #11747970)" [1]


MITIGATION

        It is recommended that users upgraded to the latest version of MySQL
        which is available from the MySQL website at:
        http://dev.mysql.com/downloads/mysql/


REFERENCES

        [1] Changes in MySQL 5.6.4 (20 December 2011 Milestone 7)
            http://dev.mysql.com/doc/refman/5.6/en/news-5-6-4.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTvJ0AO4yVqjM2NGpAQLouw//ZRZEPPt8D5VrxssHeKe79BjDBllLMQQd
FW7g9x+CHgdgKTNwL+TVMDPKElOJdtiEl77+sDmDSFi8tIxchCu7dCQ++O6rqLfI
wTMIgBR7Yfx/a+SqWGqjMyKmTciqAT5WGaagxGT3m9L8i2V0ZkurCrdLrWwXBeSU
/TU4VEGPFhq7mO6HKAXDt9cE1Ic3MeT+Yv9RmaautPGXOEBYd9BI6R9SKzhUjzJ+
39rr8CHsKx1Rxma4UOYikj5GUgZeq3jrkETRxbjqTBLmWzrGBc/oiRcX/Jls0Hd5
HjmEaMIkhFJhYo9ztPRz04IA8LedwaTn8JzKXVfwFuC86nRcbq0UHUvTuYAjKG8+
+4jBT0TnUg0OyaoC9LZsSpONb1R6hDscnSzQ8JCwCqaJy9sOX+5AV2rAAkC39Qad
O6UPWj+zMkIsP3F5g3m+AOUV6jrmL1C5RhMOF+U/Qt/nOTHDtrEnUEJNgdIi3ZvF
tKL9eJ13j+hRDMO60CUuKB0CgqNulWhkHEXejkT3HvIadnk/Rc/X3wjAdkTuglHw
eJ5BfI5JVHSoeNBXC6T/4zwcfdF4mW4XmA8cQphzVwgfrvS8FfU3DTtvL4byc8SF
f40ehNggaGkW54EAYQB5SgAZSh4FRhQCQkxu82B+1Y2M9okD+9MnTjcv+El7vdkn
7VAsGJ0zCZI=
=8BVc
-----END PGP SIGNATURE-----