Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6313 to the following vulnerability: MySQL Server 5.1.x before 5.1.23 and 6.0.x before 6.0.4 does not check the rights of the entity executing BINLOG, which allows remote authorized users to execute arbitrary BINLOG statements. References: http://bugs.mysql.com/31611
Upstream bug report suggests this issue only affects MySQL versions 5.1 and newer. Looking into MySQL 5.0(.45), BINLOG SQL statement is not supported / recognized. Only SHOW BINLOG ... Upstream bug report does not link any public commit message currently, so I can't tell from it what exactly was changed. It seems that relevant change is addition of following check to mysql_client_binlog_statement() in sql/sql_binlog.cc : if (check_global_access(thd, SUPER_ACL)) DBUG_VOID_RETURN; This was added in between 5.1.22 and 5.1.23. Affected function / source file does not exist in MySQL 5.0. Tom, can you please back me up?
AFAICS this is irrelevant to us, since we aren't yet shipping 5.1.x (much less 6.0.x) in anything.
This issue does not affect versions of MySQL as shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5, and Fedora 7 and 8. Only versions 5.1 and newer are affected.