I received an email yesterday on the MySQL announce list which told me about a new update on MySQL. This time the release was to solve a security hole that recently was discovered. It seems it was possible to inject SQL statements that you didn’t want to happen.
Security fix: An SQL-injection security hole has been found in multibyte encoding processing. The bug was in the server, incorrectly parsing the string escaped with mysql_real_escape(). This vulnerability was discovered and reported by Josh Berkus and Tom Lane as part of the inter-project security collaboration of the OSDB consortium.
You can read more about the issue in the release statement.
Unfortunately our issue for Mac OS X users hasn’t been solved yet. We still don’t get shared binaries in this release. I’m working on a solution with Jeff Stubbs to provide the shared libraries. We really need those shared libraries to be able to compile your own postfix server with support for MySQL and SSL/TLS. This currently isn’t possible because MySQL provides us with static libraries which have been compiled with SSL support as well, as told before. So during the linking phase you end up with multiple definitions of symbols which don’t help. We are nearing a good solution so keep watching this space for more info.
Maybe you can help to push MySQL to provide shared libraries in the binary install package by adding your voice to the bug report in at the MySQL site. Add your voice by commenting. This is as far as I know the best way to let them know we think this is an important feature.
- No related posts