The security improvements related to creation of table files
          and to user-defined functions were made after MySQL 4.1.10 was
          released and are present in MySQL 4.1.10a. We would like to
          thank Stefano Di Paola <stefano.dipaola@wisec.it>
          for making us aware of these.
        
End of Product Lifecycle. Active development and support for MySQL Database Server versions 3.23, 4.0, and 4.1 has ended. For details, see http://www.mysql.com/about/legal/lifecycle/#calendar. Please consider upgrading to a recent version. Further updates to the content of this manual will be minimal. All formats of this manual will continue to be available until 31 Dec 2010.
Functionality added or changed:
Thread stack size was increased from 192KB to 256KB on Linux/IA-64 (too small stack size was causing server crashes on some queries). (Bug#8391)
        Setting the connection collation to a value different from the
        server collation followed by a CREATE
        TABLE statement that included a quoted default value
        resulted in a server crash.
       (Bug#8235)
        The server now issues a warning when
        lower_case_table_names = 2 and
        the data directory is on a case-sensitive file system, just as
        when lower_case_table_names = 0
        on a case-insensitive file system.
       (Bug#7887)
The server now issues a warning to the error log when it encounters older tables that contain character columns that might be interpreted by newer servers to have a different column length. See Section 2.11.1.1, “Upgrading from MySQL 4.0 to 4.1”, for a discussion of this problem and what to do about it. (Bug#6913)
        Added mysql_library_init() and
        mysql_library_end() as synonyms
        for the mysql_server_init() and
        mysql_server_end() C API
        functions. mysql_library_init()
        and mysql_library_end() are
        #define symbols, but the names more clearly
        indicate that they should be called when beginning and ending
        use of a MySQL C API library no matter whether the application
        uses libmysqlclient or
        libmysqld.
       (Bug#6149)
        InnoDB: Relaxed locking in
        INSERT ...
        SELECT, single table UPDATE ...
        (SELECT) and single table DELETE ...
        (SELECT) clauses when
        innodb_locks_unsafe_for_binlog
        is used and isolation level of the transaction is not
        SERIALIZABLE.
        InnoDB uses consistent read in these cases
        for a selected table.
      
        From the Windows distribution, predefined accounts without
        passwords for remote users ('root'@'%',
        ''@'%') were removed (other distributions
        never had them).
      
        InnoDB: When MySQL/InnoDB is compiled on Mac
        OS X 10.2 or earlier, detect the operating system version at run
        time and use the fcntl() file flush method on
        Mac OS X versions 10.3 and later. In Mac OS X,
        fsync() does not flush the write cache in the
        disk drive, but the special fcntl() does;
        however, the flush request is ignored by some external devices.
        Failure to flush the buffers may cause severe database
        corruption at power outages.
      
        Security improvement: User-defined functions should have at
        least one symbol defined in addition to the
        xxx symbol that corresponds to the main
        xxx() function. These auxiliary symbols
        correspond to the xxx_init(),
        xxx_deinit(), xxx_reset(),
        xxx_clear(), and xxx_add()
        functions. mysqld by default no longer loads
        UDFs unless they have at least one auxiliary symbol defined in
        addition to the main symbol. The
        --allow-suspicious-udfs option
        controls whether UDFs that have only an xxx
        symbol can be loaded. By default, the option is off.
        mysqld also checks UDF file names when it
        reads them from the mysql.func table and
        rejects those that contain directory path name separator
        characters. (It already checked names as given in
        CREATE FUNCTION statements.) See
        Section 18.2.2.1, “UDF Calling Sequences for Simple Functions”,
        Section 18.2.2.2, “UDF Calling Sequences for Aggregate Functions”, and
        Section 18.2.2.6, “User-Defined Function Security Precautions”. Thanks to Stefano Di Paola
        <stefano.dipaola@wisec.it> for finding and
        informing us about this issue.
       (CVE-2005-0709, CVE-2005-0710)
        Added back faster subquery execution from 4.1.8. This adds also
        back a bug from 4.1.8 in comparing NULL to
        the value of a subquery. See Section A.5.8.4, “Open Issues in MySQL”.
      
        Security improvement: The server creates
        .frm, .MYD,
        .MYI, .MRG,
        .ISD, and .ISM table
        files only if a file with the same name does not already exist.
        Thanks to Stefano Di Paola
        <stefano.dipaola@wisec.it> for finding and
        informing us about this issue.
       (CVE-2005-0711)
        InnoDB: A shared record lock
        (LOCK_REC_NOT_GAP) is now taken for a
        matching record in the foreign key check because inserts can be
        allowed into gaps.
      
Bugs fixed:
Replication: 
        Multiple-table updates did not replicate properly to slave
        servers where --replicate-*-table options had
        been specified.
       (Bug#7011)
        LOAD INDEX statement now loads
        the index into memory.
       (Bug#8452)
        DELETE FROM  when the tbl_name ...
        WHERE ... ORDER BY
        tbl_name.col_name
        ORDER BY column was
        qualified with the table name caused the server to crash.
       (Bug#8392)
        Cardinality estimates for HASH indexes of
        TEMPORARY tables created using
        MEMORY storage engine were inaccurate. As a
        result, queries that were using this index (as shown by
        EXPLAIN) could returned incorrect
        results.
       (Bug#8371)
If multiple prepared statements were executed without retrieving their results, executing one of them again would cause the client program to crash. (Bug#8330)
Certain joins used with boolean full-text search could cause the server to crash. (Bug#8234)
        Add description of debug command to
        mysqladmin help output.
       (Bug#8207)
        Removed a dependence of boolean full-text search on
        --default-character-set option.
       (Bug#8159)
        Modify SET statements produced by
        mysqldump to write quoted strings using
        single quotes rather than double quotes. This avoids problems if
        the dump file is reloaded while the
        ANSI_QUOTES SQL mode is in
        effect.
       (Bug#8148)
        Strings that began with CHAR(31) were
        considered equal to the empty string.
       (Bug#8134)
Re-execution of prepared statements containing subqueries caused the server to crash. (Bug#8125)
Certain correlated subqueries with forward references (referring to an alias defined later in the outer query) could crash the server. (Bug#8025)
        Corrected a problem with references to DUAL
        where statements such as SELECT 1 AS a FROM
        DUAL would succeed but statements such as
        SELECT 1 AS a FROM DUAL LIMIT 1 would fail.
       (Bug#8023)
        Comparing a nested row expression (such as
        ROW(1,(2,3))) with a subquery caused the
        server to crash.
       (Bug#8022)
        InnoDB: Fixed a bug introduced in 4.1.9,
        where, if you used
        innodb_file_per_table with the
        Windows version of MySQL, mysqld stopped with
        Windows error 87. (See the Bugs database or the MySQL 4.1.9
        changelog for information about a workaround for the issue in
        4.1.9).
       (Bug#8021)
The number of columns in a row comparison against a subquery was calculated incorrectly. (Bug#8020)
        mysqld had problems finding its language
        files if the --basedir value was
        specified as a very long path name.
       (Bug#8015)
        mysql_stmt_close() C API
        function was not clearing an error indicator when a previous
        prepare call failed, causing subsequent invocations of
        error-retrieving calls to indicate spurious error values.
       (Bug#7990)
Executing a multi-statement query more than once with the query cache active could yield incorrect result sets. (Bug#7966)
        A slave running MySQL 3.23.51 or newer hung while trying to
        connect to a master running MySQL 3.23.50 or older. (The reason
        for this was a bug in the old masters — SELECT
        @@ caused the
        server to hang — which was fixed in MySQL 3.23.50.)
       (Bug#7965)unknown_var
        Erroneous output resulted from
        SELECT
        DISTINCT combined with a subquery and GROUP
        BY.
       (Bug#7946)
        FOUND_ROWS() returned an
        incorrect value after a SELECT SQL_CALC_FOUND_ROWS
        DISTINCT statement that selected constants and
        included GROUP BY and
        LIMIT clauses.
       (Bug#7945)
        SHOW INDEX reported
        Sub_part values in bytes rather than
        characters for columns with a multi-byte character set.
       (Bug#7943)
        Changed mysql client so that including
        \p as part of a prompt command uses the name
        of the shared memory connection when the connection is using
        shared memory.
       (Bug#7922)
        If one used CONVERT_TZ() function
        in SELECT, which in its turn was
        used in CREATE TABLE statements,
        then system time zone tables were added to list of tables joined
        in SELECT and thus erroneous result was produced.
       (Bug#7899)
Comparing the result of a subquery to a nonexistent column caused the server to crash. This issue affected MySQL on Windows platforms only. (Bug#7885)
        ALTER TABLE improperly accepted
        an index on a TIMESTAMP column
        that CREATE TABLE would reject.
       (Bug#7884)
MySQL allowed concurrent updates (including inserts and deletes) to a table if binary logging was enabled. Now, all updates are executed in a serialized fashion, because they are executed serialized when the binary log is replayed. (Bug#7879)
        Ensured that mysqldump --single-transaction
        sets its transaction isolation level to
        REPEATABLE READ before
        proceeding (otherwise if the MySQL server was configured to run
        with a default isolation level lower than
        REPEATABLE READ it could give
        an inconsistent dump).
       (Bug#7850)
        InnoDB: ALTER TABLE ... ADD
        CONSTRAINT PRIMARY KEY ... complained about bad
        foreign key definition.
       (Bug#7831)
        mysqlbinlog forgot to add backquotes around
        the collation of user variables (causing later parsing problems
        as BINARY is a reserved word).
       (Bug#7793)
        A Table is full error occurred when the
        table was still smaller than
        max_heap_table_size.
       (Bug#7791)
        Multiple-table UPDATE statements
        could cause spurious Table '#sql_....' is
        full errors if the number of rows to update was
        sufficiently large.
       (Bug#7788)
Conversion of floating-point values to character values was not performed correctly when the absolute value of the float was less than 1 (including negative values). (Bug#7774)
        Use of GROUP_CONCAT() with
        HAVING caused the server to crash.
       (Bug#7769)
        The CONV() function returned an
        unsigned BIGINT number, which
        does not fit in 32 bits.
       (Bug#7751)
        The IN() operator did not return
        correct results if all values in the list were constants and
        some of them used substring functions such as
        LEFT(),
        RIGHT(), or
        MID().
       (Bug#7716)
        The CONVERT_TZ() function, when
        its second or third argument was from a
        const table, caused the
        server to crash. (See Section 12.7.2, “EXPLAIN Syntax”.)
       (Bug#7705)
        The TIMEDIFF() function returned
        incorrect results if one of its arguments had a nonzero
        microsecond part.
       (Bug#7586)
        TIMESTAMP columns with their
        display width so specified were not treated as identical to
        DATETIME columns when the server
        was run in MAXDB mode.
       (Bug#7418)
perror.exe was always returning “Unknown error” on Windows. See Section 4.8.1, “perror — Explain Error Codes”. (Bug#7390)
        SHOW INDEX on a
        MERGE table could cause debug versions of the
        server to crash.
       (Bug#7377)
        Handling of trailing spaces was incorrect for the
        ucs2 character set.
       (Bug#7350)
        Adding an ORDER BY clause for an indexed
        column caused a SELECT to return
        an empty result.
       (Bug#7331)
        ALTER TABLE on a
        TEMPORARY table with a mixed-lettercase name
        could cause the table to disappear when
        lower_case_table_names was set
        to 2.
       (Bug#7261)
        For indexes, SHOW CREATE TABLE
        now displays the index type even if it is the default, for
        storage engines that support multiple index types.
       (Bug#7235)
        Updates were being written to the binary log when there were
        binlog-do-db or
        binlog-ignore-db options even when there was
        no current database, contrary to
        Section 14.9.1, “Evaluation of Database-Level Replication and Binary Logging Options”.
       (Bug#6749)
        CREATE TABLE ... LIKE failed on Windows when
        the source or destination table was located in a symlinked
        database directory.
       (Bug#6607)
Column headers in query results retrieved from the query cache could be corrupted when a non-4.1 client was served a result originally generated for a 4.1 client. The query cache was not keeping track of which client/server protocol was being used. (Bug#6511)
        Correct a problem with mysql_config, which
        was failing to produce proper zlib option for
        linking under some circumstances.
       (Bug#6273)
        Nonnumeric values inserted into a
        YEAR column were being stored as
        2000 rather than as 0000.
       (Bug#6067)
        mysql_stmt_prepare() was very
        slow when used in client programs on Windows.
       (Bug#5787)
        A HAVING clause that referred to
        RAND() or a user-defined function
        in the SELECT part of a query
        through an alias could cause MySQL to crash or to return an
        incorrect value.
       (Bug#5185)
        Key cache statistics were reported incorrectly by the server
        after receipt of a SIGHUP signal.
       (Bug#4285)
        A problem with UNION statements
        resulted in the wrong number of examined rows being reported in
        the slow query log.
      
A symlink vulnerability in the mysqlaccess script was reported by Javier Fernandez-Sanguino Pena and Debian Security Audit Team. (CVE-2005-0004)
        InnoDB: Use native
        tmpfile() function on Netware. All
        InnoDB temporary files are created under
        sys:\tmp. Previously,
        InnoDB temporary files were never deleted on
        Netware.
      
        The combination of -not and
        trunc* operators in a full-text search did
        not work correctly. Using more than one truncated negative
        search term caused the result to be empty.
      
        InnoDB: A rare race condition could cause an
        assertion in DROP TABLE or in
        ALTER TABLE.
      


User Comments
CONCAT now works as it should when you've SET NAMES to a different charset than your data. (http://bugs.mysql.com/7874)
Add your own comment.