From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Fri, 9 Jun 2006 16:34:29 +0300 From: Michael Shigorin To: sysadmins@lists.altlinux.org Message-ID: <20060609133429.GC20258@osdn.org.ua> Mail-Followup-To: sysadmins@lists.altlinux.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: [Sysadmins] Fwd: Clarification: MySQL 3.23 and 4.0 are NOT affected by the recent multibyte SQL injection problem X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.7 Precedence: list Reply-To: shigorin@gmail.com, ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 13:34:49 -0000 Archived-At: List-Archive: ----- Forwarded message from Joerg Bruehe ----- Date: Thu, 08 Jun 2006 12:02:59 +0200 From: Joerg Bruehe To: announce/lists.mysql.com Subject: Clarification: MySQL 3.23 and 4.0 are NOT affected by the recent multibyte SQL injection problem Cc: MySQL General List , packagers/lists.mysql.com Hi, this is in reply to various questions that have reached us after the recent security fix, contained in MySQL 4.1.20, 4.0.22, and 5.1.11-beta: The problem was a possible "SQL injection" risk, if the application sent data using some multi-byte character sets, due to an incorrect parsing in the server of strings generated by mysql_real_escape_string(). It had been introduced in 4.1 only, it does NOT affect any earlier version (4.0 or 3.23). As 3.23 and 4.0 never had this security risk, there is nothing to fix in these releases. We are sorry if anybody got the impression we were neglecting any such security risk in older releases. Enjoy! Joerg -- Joerg Bruehe, Senior Production Engineer MySQL AB, www.mysql.com -- MySQL Packagers Mailing List For list archives: http://lists.mysql.com/packagers ----- End forwarded message ----- -- ---- WBR, Michael Shigorin ------ Linux.Kiev http://www.linux.kiev.ua/