[Sysadmins] Fwd: Clarification: MySQL 3.23 and 4.0 are NOT affected by the recent multibyte SQL injection problem

[Sysadmins] Fwd: Clarification: MySQL 3.23 and 4.0 are NOT affected by the recent multibyte SQL injection problem

[Michael Shigorin]

----- Forwarded message from Joerg Bruehe <joerg/mysql.com> -----

Date: Thu, 08 Jun 2006 12:02:59 +0200
From: Joerg Bruehe <joerg/mysql.com>
To: announce/lists.mysql.com
Subject: Clarification: MySQL 3.23 and 4.0 are NOT affected by the recent multibyte SQL injection problem
Cc: MySQL General List <mysql/lists.mysql.com>,
	packagers/lists.mysql.com

Hi,


this is in reply to various questions that have reached us after the 
recent security fix, contained in MySQL 4.1.20, 4.0.22, and 5.1.11-beta:


The problem was a possible "SQL injection" risk, if the application sent 
data using some multi-byte character sets, due to an incorrect parsing 
in the server of strings generated by mysql_real_escape_string().

It had been introduced in 4.1 only, it does NOT affect any earlier 
version (4.0 or 3.23).

As 3.23 and 4.0 never had this security risk, there is nothing to fix in 
these releases.


We are sorry if anybody got the impression we were neglecting any such 
security risk in older releases.


Enjoy!
Joerg

-- 
Joerg Bruehe, Senior Production Engineer
MySQL AB, www.mysql.com


-- 
MySQL Packagers Mailing List
For list archives: http://lists.mysql.com/packagers

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/