Serverarbeiten am 23.07.2013

Am 23.07. wurden zwischen 21:30 und 22:00 Sicherheitsaktualisierungen der Web- und E-Mail-Dienste vorgenommen.

Apache 2.2.25

*) SECURITY: CVE-2013-1896 (cve.mitre.org)
mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
]

*) SECURITY: CVE-2013-1862 (cve.mitre.org)
mod_rewrite: Ensure that client data written to the RewriteLog is
escaped to prevent terminal escape sequences from entering the
log file. [Eric Covener, Jeff Trawick, Joe Orton]

*) core: Limit ap_pregsub() to 64MB and add ap_pregsub_ex() for longer
strings. The default limit for ap_pregsub() can be adjusted at compile
time by defining AP_PREGSUB_MAXLEN. [Stefan Fritsch, Jeff Trawick]

*) core: Support the SINGLE_LISTEN_UNSERIALIZED_ACCEPT optimization
on Linux kernel versions 3.x and above. PR 55121. [Bradley Heilbrun
]

*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]

*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
[Kaspar Brand]

*) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
forwarding to SSL backends. PR 53134.
[Michael Weiser , Ruediger Pluem]

*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]

*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis , Joe Orton, Kaspar Brand]

*) mod_proxy_balancer: Added balancer parameter failontimeout to allow server
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]

*) mod_authnz_ldap: Allow using exec: calls to obtain LDAP bind
password. [Daniel Ruggeri]

*) htdigest: Fix buffer overflow when reading digest password file
with very long lines. PR 54893. [Rainer Jung]

*) mod_dav: Ensure URI is correctly uriencoded on return. PR 54611
[Timothy Wood ]

*) mod_dav: Make sure that when we prepare an If URL for Etag comparison,
we compare unencoded paths. PR 53910 [Timothy Wood ]

*) mod_dav: Sending an If or If-Match header with an invalid ETag doesn’t
result in a 412 Precondition Failed for a COPY operation. PR54610
[Timothy Wood ]

*) mod_dav: When a PROPPATCH attempts to remove a non-existent dead
property on a resource for which there is no dead property in the same
namespace httpd segfaults. PR 52559 [Diego Santa Cruz
]

*) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
PR 52559 [Diego Santa Cruz ]

*) mod_dav: Do not segfault on PROPFIND with a zero length DBM.
PR 52559 [Diego Santa Cruz ]

Libxml 2.9.1

Features:
Support for Python3 (Daniel Veillard),
Add xmlXPathSetContextNode and xmlXPathNodeEval (Alex Bligh)
Documentation:
Add documentation for xmllint –xpath (Daniel Veillard),
Fix the URL of the SAX documentation from James (Daniel Veillard),
Fix spelling of „length“. (Michael Wood)
Portability:
Fix python bindings with versions older than 2.7 (Daniel Veillard),
rebuild docs:Makefile.am (Roumen Petrov),
elfgcchack.h after rebuild in doc (Roumen Petrov),
elfgcchack for buf module (Roumen Petrov),
Fix a uneeded and wrong extra link parameter (Daniel Veillard),
Few cleanup patches for Windows (Denis Pauk),
Fix rpmbuild –nocheck (Mark Salter),
Fix for win32/configure.js and WITH_THREAD_ALLOC (Daniel Richard),
Fix Broken multi-arch support in xml2-config (Daniel Veillard),
Fix a portability issue for GCC < 3.4.0 (Daniel Veillard), Windows build fixes (Daniel Richard), Fix a thread portability problem (Friedrich Haubensak), Downgrade autoconf requirement to 2.63 (Daniel Veillard) Bug Fixes: Fix a linking error for python bindings (Daniel Veillard), Fix a couple of return without value (Jüri Aedla), Improve the hashing functions (Daniel Franke), Improve handling of xmlStopParser() (Daniel Veillard), Remove risk of lockup in dictionary initialization (Daniel Veillard), Activate detection of encoding in external subset (Daniel Veillard), Fix an output buffer flushing conversion bug (Mikhail Titov), Fix an old bug in xmlSchemaValidateOneElement (Csaba László), Fix configure cannot remove messages (Gilles Espinasse), fix schema validation in combination with xsi:nil (Daniel Veillard), xmlCtxtReadFile doesn't work with literal IPv6 URLs (Steve Wolf), Fix a few problems with setEntityLoader (Alexey Neyman), Detect excessive entities expansion upon replacement (Daniel Veillard), Fix the flushing out of raw buffers on encoding conversions (Daniel, Veillard), Fix some buffer conversion issues (Daniel Veillard), When calling xmlNodeDump make sure we grow the buffer quickly (Daniel, Veillard), Fix an error in the progressive DTD parsing code (Dan Winship), xmllint should not load DTD by default when using the reader (Daniel, Veillard), Try IBM-037 when looking for EBCDIC handlers (Petr Sumbera), Fix potential out of bound access (Daniel Veillard), Fix large parse of file from memory (Daniel Veillard), Fix a bug in the nsclean option of the parser (Daniel Veillard), Fix a regression in 2.9.0 breaking validation while streaming (Daniel, Veillard), Remove potential calls to exit() (Daniel Veillard) Improvements: Regenerated API, and testapi, rebuild documentation (Daniel Veillard), Fix tree iterators broken by 2to3 script (Daniel Veillard), update all tests for Python3 and Python2 (Daniel Veillard), A few more fixes for python 3 affecting libxml2.py (Daniel Veillard), Fix compilation on Python3 (Daniel Veillard), Converting apibuild.py to python3 (Daniel Veillard), First pass at starting porting to python3 (Daniel Veillard), updated configure.in for python3 (Daniel Veillard), Add support for xpathRegisterVariable in Python (Shaun McCance), Added a regression tests from bug 694228 data (Daniel Veillard), Cache presence of '<' in entities content (Daniel Veillard), Avoid extra processing on entities (Daniel Veillard), Python binding for xmlRegisterInputCallback (Alexey Neyman), Python bindings: DOM casts everything to xmlNode (Alexey Neyman), Define LIBXML_THREAD_ALLOC_ENABLED via xmlversion.h (Tim Starling), Adding streaming validation to runtest checks (Daniel Veillard), Add a --pushsmall option to xmllint (Daniel Veillard) Cleanups: Switched comment in file to UTF-8 encoding (Daniel Veillard), Extend gitignore (Daniel Veillard), Silent the new python test on input (Alexey Neyman), Cleanup of a duplicate test (Daniel Veillard), Cleanup on duplicate test expressions (Daniel Veillard), Fix compiler warning after 153cf15905cf4ec080612ada6703757d10caba1e (Patrick, Gansterer), Spec cleanups and a fix for multiarch support (Daniel Veillard), Silence a clang warning (Daniel Veillard), Cleanup the Copyright to be pure MIT Licence wording (Daniel Veillard), rand_seed should be static in dict.c (Wouter Van Rooy), Fix typos in parser comments (Jan Pokorný)
MySQL 5.1.70
Performance; InnoDB: Some data structures related to undo logging could be initialized unnecessarily during a query, although they were only needed under specific conditions. (Bug #14676084)

Performance; InnoDB: Optimized read operations for compressed tables by skipping redundant tests. The check for whether any related changes needed to be merged from the insert buffer was being called more often than necessary. (Bug #14329288, Bug #65886)

Performance; InnoDB: Immediately after a table was created, a query against it would not use a loose index scan. The same query might use a loose index scan following an ALTER TABLE on the table. The fix improves the accuracy of the cost estimate for queries involving the grouping functions min() and max(), and prevents the query plan from being changed by the ALTER TABLE statement. (The more stable query plan might or might not use a loose index scan.) (Bug #14200010)

InnoDB; Partitioning: Previously, when attempting to optimize one or more partitions of a partitioned table that used a storage engine that does not support partition-level OPTIMIZE, such as InnoDB, MySQL reported Table does not support optimize, doing recreate + analyze instead, then re-created the entire table, but did not actually analyze it. Now in such cases, the warning message is, Table does not support optimize on partitions. All partitions will be rebuilt and analyzed. In addition, the entire table is analyzed after first being rebuilt. (Bug #11751825, Bug #42822)

InnoDB: The status variable Innodb_buffer_pool_read_ahead_evicted could show an inaccurate value, higher than expected, because some pages in the buffer pool were incorrectly considered as being brought in by read-ahead requests. (Bug #15859402, Bug #67476)

InnoDB: Creating an index on a CHAR column could fail for a table with a character set with varying length, such as UTF-8, if the table was created with the ROW_FORMAT=REDUNDANT clause. (Bug #15874001)

InnoDB: If the server crashed at a precise moment during an ALTER TABLE operation that rebuilt the clustered index for an InnoDB table, the original table could be inaccessible afterward. An example of such an operation is ALTER TABLE … ADD PRIMARY KEY The fix preserves the original table if the server halts during this operation. You might still need to rename the .ibd file manually to restore the original table contents: in MySQL 5.6 and higher, rename from #sql-ib$new_table_id.ibd to table_name.ibd within the database directory; prior to MySQL 5.6, the temporary file to rename is table_name#1 or #2. (Bug #14669848)

InnoDB: A regression introduced by the fix for Bug#14100254 would result in a “!BPAGE->FILE_PAGE_WAS_FREED” assertion. (Bug #14676249)

InnoDB: An error at the filesystem level, such as too many open files, could cause an unhandled error during an ALTER TABLE operation. The error could be accompanied by Valgrind warnings, and by this assertion message:

Assertion `! is_set()‘ failed.
mysqld got signal 6 ;
(Bug #14628410, Bug #16000909)

InnoDB: During shutdown, with the innodb_purge_threads configuration option set greater than 1, the server could halt prematurely with this error:

mysqld got signal 11
A workaround was to increase innodb_log_file_size and set innodb_purge_threads=1. The fix was backported to MySQL 5.5 and 5.1, although those versions do not have the innodb_purge_threads configuration option so the error was unlikely to occur. (Bug #14234028)

InnoDB: The value of the innodb_version variable was not updated consistently for all server releases for the InnoDB Plugin in MySQL 5.1, and the integrated InnoDB component in MySQL 5.5, 5.6, and higher. Since InnoDB and MySQL Server development cycles are fully integrated and synchronized, now the value returned by the innodb_version variable is the same as for the version variable. (Bug #13463493, Bug #63435)

Partitioning: When used with a table having multiple columns in its primary key, but partitioned by KEY using a column that was not part of the primary key as the partitioning column, a query using an aggregate function and DISTINCT such as SELECT SUM(DISTINCT pk_column_1) FROM table WHERE pk_column_2 = constant was not handled correctly. (Bug #14845133)

References: See also Bug #14495351. This bug was introduced by Bug #13025132.

Replication: Repeated execution of CHANGE MASTER TO statements using invalid MASTER_LOG_POS values could lead to errors and possibly a crash on the slave. Now in such cases, the statement fails with a clear error message. (Bug #11764602, Bug #57454)

Replication: If the disk becomes full while writing to the binary log, the server hangs until space is freed up manually. It was possible after this was done for the MySQL server to fail, due to an internal status value being set when not needed. Now in such cases, rather than trying to set this status, a warning is written in the error log instead. (Bug #11753923, Bug #45449)

Microsoft Windows: Dynamic file names (with colons) are no longer allowed. Static file names using the Alternate Data Stream (ADS) NTFS functionality of Microsoft Windows may continue to be used. (Bug #11761752)

Directory name manipulation could result in stack overflow on Mac OS X and Windows. (Bug #16066243)

A buffer-handling problem in yaSSL was fixed. (Bug #15965288)

It was possible in theory for UpdateXML() to return NULL incorrectly. (Bug #15948580)

References: See also Bug #13007062.

Metadata locking and table definition cache routines did not always check length of names passed to them. (Bug #15954872)

Enabling the query cache during high client contention could cause the server to exit. (Bug #14727815)

The server sometimes failed to respect MAX_CONNECTIONS_PER_HOUR limits on user connections. (Bug #14627287)

Passing an unknown time zone specification to CONVERT_TZ() resulted in a memory leak. (Bug #12347040)

For dumps of the mysql database, mysqldump skips the event table unless the –events option is given. mysqldump now prints a warning if invoked without –events that the mysql.event table is not dumped without that option. (Bug #55587, Bug #11762933)

For MEMORY tables with HASH indexes, DELETE sometimes failed to delete all applicable rows. (Bug #51763, Bug #11759445)

mysqld_safe used the nonportable -e test construct. (Bug #67976, Bug #16046140)

UNION type conversion could incorrectly turn unsigned values into signed values. (Bug #49003, Bug #11757005)

During the startup process, mysqld could incorrectly remove the PID file of an already running mysqld. (Bug #23790, Bug #11746142)

References: See also Bug #14726272.

Functionality Added or Changed

MySQL no longer uses the default OpenSSL compression. (Bug #16235681)

Bugs Fixed

Performance; InnoDB: The DROP TABLE statement for a table using compression could be slower than necessary, causing a stall for several seconds. MySQL was unnecessarily decompressing pages in the buffer pool related to the table as part of the DROP operation. (Bug #16067973)

Important Note; Replication: Using row-based logging to replicate from a table to a same-named view led to a failure on the slave. Now, when using row-based logging, the target object type is checked prior to performing any DML, and an error is given if the target on the slave is not actually a table.

Note
It remains possible to replicate from a table to a same-named view using statement-based logging.

(Bug #11752707, Bug #43975)

InnoDB: The page_zip_available function would count some fields twice. (Bug #16463505)

InnoDB: For InnoDB tables, if a PRIMARY KEY on a VARCHAR column (or prefix) was empty, index page compression could fail. (Bug #16400920)

InnoDB: For debug builds, InnoDB status exporting was subject to a race condition that could cause a server exit. (Bug #16292043)

InnoDB: When tables are linked by foreign key constraints, loading one table would open other linked tables recursively. When numerous tables are linked by foreign key constraints, this would sometimes lead to a thread stack overflow causing the server to exit. Tables linked by foreign key constraints are now loaded iteratively. Cascade operations, which were also performed in a recursive manner, are now performed iteratively using an explicit stack. (Bug #16244691)

InnoDB: Arithmetic underflow during page compression for CREATE TABLE on an InnoDB table could cause a server exit. (Bug #16089381)

InnoDB: This fix makes MySQL more responsive to KILL QUERY statements when the query is accessing an InnoDB table. (Bug #14704286)

InnoDB: When printing out long semaphore wait diagnostics, sync_array_cell_print() ran into a segmentation violation (SEGV) caused by a race condition. This fix addresses the race condition by allowing the cell to be freed while it is being printed. (Bug #13997024)

InnoDB: Killing a query caused an InnoDB assertion failure when the same table (cursor) instance was used again. This is the result of a regression error introduced by the fix for Bug#14704286. The fix introduced a check to handle kill signals for long running queries but the cursor was not restored to the proper state. (Bug #68051, Bug #16088883)

InnoDB: The length of internally generated foreign key names was not checked. If internally generated foreign key names were over the 64 character limit, this resulted in invalid DDL from SHOW CREATE TABLE. This fix checks the length of internally generated foreign key names and reports an error message if the limit is exceeded. (Bug #44541, Bug #11753153)

Partitioning: A query on a table partitioned by range and using TO_DAYS() as a partitioing function always included the first partition of the table when pruning. This happened regardless of the range employed in the BETWEEN clause of such a query. (Bug #15843818, Bug #49754)

Replication: A zero-length name for a user variable (such as @„) was incorrectly considered to be a sign of data or network corruption when reading from the binary log. (Bug #16200555, Bug #68135)

Replication: Backtick (`) characters were not always handled correctly in internally generated SQL statements, which could sometimes lead to errors on the slave. (Bug #16084594, Bug #68045)

References: This bug is a regression of Bug #14548159, Bug #66550.

Replication: It was possible in certain cases—immediately after detecting an EOF in the dump thread read event loop, and before deciding whether to change to a new binary log file—for new events to be written to the binary log before this decision was made. If log rotation occurred at this time, any events that occurred following EOF detection were dropped, resulting in loss of data. Now in such cases, steps are taken to make sure that all events are processed before allowing the log rotation to take place. (Bug #13545447, Bug #67929)

References: See also Bug #16016886.

A long database name in a GRANT statement could cause the server to exit. (Bug #16372927)

Incorrect results were returned if a query contained a subquery in an IN clause which contained an XOR operation in the WHERE clause. (Bug #16311231)

Invocation of the range optimizer for a NULL select caused the server to exit. (Bug #16192219)

yaSSL did not perform proper padding checks, but instead examined only the last byte of plaintext and used it to determine how many bytes to remove. (Bug #16218104)

SHOW COLUMNS on a view defined as a UNION of Geometry columns could cause the server to exit. (Bug #14362617)

A LIKE pattern with too many ‚%‘ wildcards could cause a segmentation fault. (Bug #14303860)

SET var_name = VALUES(col_name) could cause the server to exit. This syntax is now prohibited because in SET context there is no column name and the statement returns ER_BAD_FIELD_ERROR. (Bug #14211565)

The COM_CHANGE_USER command in the client/server protocol did not properly use the character set number in the command packet, leading to incorrect character set conversion of other values in the packet. (Bug #14163155)

Subqueries with OUTER JOIN could return incorrect results if the subquery referred to a column from another SELECT. (Bug #13068506)

Field_geom::reset() failed to reset its base Field_blob. The range optimizer used the uninitialized field during optimization and execution, causing the server to exit. (Bug #11908153)

mysql_install_db did not escape ‚_‘ in the host name for statements written to the grant tables. (Bug #11746817)

PARTITION BY KEY on a utf32 ENUM column raised a debugging assertion. (Bug #52121, Bug #11759782)

The optimizer used loose index scan for some queries for which this access method is inapplicable. (Bug #42785, Bug #11751794)

If a dump file contained a view with one character set and collation defined on a view with a different character set and collation, attempts to restore the dump file failed with an “illegal mix of collations” error. (Bug #65382, Bug #14117025)

The REPLACE() function produced incorrect results when a user variable was supplied as an argument and the operation was performed on multiple rows. (Bug #49271, Bug #11757250)

UNION ALL on BLOB columns could produce incorrect results. (Bug #50136, Bug #11758009)

View access in low memory conditions could raise a debugging assertion. (Bug #39307, Bug #11749556)

Setting max_connections to a value less than the current number of open connections caused the server to exit. (Bug #44100, Bug #11752803)

Incorrect metadata could be produced for columns returned from some views. (Bug #65379, Bug #14096619)

For debug builds, some queries with SELECT … FROM DUAL nested subqueries raised an assertion. (Bug #60305, Bug #11827369)

Adjusted MySQL configuration to account for change in Automake 1.12 that produced sql_yacc.hh rather than sql_yacc.h as expected by sql/Makefile.am. (Bug #67177, Bug #15967374)

Bugs Fixed

Important Change; Replication: When the server was running with –binlog-ignore-db and SELECT DATABASE() returned NULL (that is, there was no currently selected database), statements using fully qualified table names in dbname.tblname format were not written to the binary log. This was because the lack of a currently selected database in such cases was treated as a match for any possible ignore option rather than for no such option; this meant that these statements were always ignored.

Now, if there is no current database, a statement using fully qualified table names is always written to the binary log. (Bug #11829838, Bug #60188)

InnoDB: Valgrind testing returned memory leak errors which resulted from a regression introduced by the fix for Bug #11753153. The dict_create_add_foreign_to_dictionary function would call pars_info_create but failed to call pars_info_free. (Bug #16754901)

InnoDB: The fix for Bug #16722314 resulted in a linker error. (Bug #16798595)

InnoDB: Some characters in the identifier for a foreign key constraint are modified during table exports. (Bug #16722314, Bug #69062)

InnoDB: Crash recovery would fail with a !recv_no_log_write assertion when reading a page. (Bug #16405422)

Replication: Using the –replicate-* options (see Replication Slave Options and Variables) could in some cases lead to a memory leak on the slave. (Bug #16056813, Bug #67983)

Replication: The binary log contents got corrupted sometimes, because the function MYSQL_BIN_LOG::write_cache always thought it had reached the end-of-cache when the function my_b_fill() reported a ‚0,‘ while that could also mean an error had occurred. This fix makes sure that whenever my_b_fill() returns a ‚0,‘ an error check is performed on info->error. (Bug #14324766, Bug #60173)

The WKB reader for spatial operations could fail and cause a server exit. (Bug #16451878)

A GROUP_CONCAT() invocation containing subquery having an outer reference caused the server to exit. (Bug #16347343)

For debug builds, GROUP_CONCAT(… ORDER BY) within an ORDER BY clause could cause a server exit. (Bug #16347426)

If loose index scan was used on a query that used MIN(), a segmentation fault could occur. (Bug #16222245)

A prepared statement that used GROUP_CONCAT() and an ORDER BY clause that named multiple columns could cause the server to exit. (Bug #16075310)

ORDER BY MATCH … AGAINST could cause a server exit. (Bug #16073689)

When a partition is missing, code in ha_innodb.cc would retry 10 times and sleep for a microsecond each time while holding LOCK_open. The retry logic for partitioned tables was introduced as a fix for Bug#33349 but did not include a test case to validate it. This fix removes the retry logic for partitioned tables. If the problem reported in Bug#33349 reappears, a different solution will be explored. (Bug #15973904)

The mysql.server script exited with an error if the status command was executed with multiple servers running. (Bug #15852074)

When processing row-based-replication events in the old binary log format from prior to MySQL 5.1 GA builds, mysqlbinlog could result in out-of-bounds heap buffer reads and undefined behaviour. (Bug #14771299)

The mysql client allocated but did not free a string after reading each line in interactive mode, resulting in a memory leak. (Bug #14685362)

Grouping by an outer BLOB column in a subquery caused a server exit. (Bug #13966809, Bug #14700180)

The url columns in the mysql datatbase help tables were too short to hold some of the URLs in the help content. For new installations, these columns are now created as type TEXT to accommodate longer URLs.

For upgrades, mysql_upgrade does not update the columns. Modify them manually using these statements:

ALTER TABLE mysql.help_category MODIFY url TEXT NOT NULL;
ALTER TABLE mysql.help_topic MODIFY url TEXT NOT NULL;
(Bug #61520, Bug #12671635)

The test for stack overrun did not work for recent gcc versions and could lead to server exit. (Bug #62856, Bug #13243248)

References: See also Bug #42213.

IF() function evaluations could produce different results when executed in a prepared versus nonprepared statement. (Bug #45370, Bug #11753852)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.