For full changes, refer http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html.
Here is security related changes.
* Security Fix: The server failed to check the table name argument of
a COM_FIELD_LIST command packet for validity and compliance to
acceptable table name standards. This could be exploited to bypass
almost all forms of checks for privileges and table-level grants by
providing a specially crafted table name argument to COM_FIELD_LIST.
In MySQL 5.0 and above, this allowed an authenticated user with
SELECT privileges on one table to obtain the field definitions of
any table in all other databases and potentially of other MySQL
instances accessible from the server's file system.
Additionally, for MySQL version 5.1 and above, an authenticated user
with DELETE or SELECT privileges on one table could delete or read
content from any other table in all databases on this server, and
potentially of other MySQL instances accessible from the server's
file system. (Bug#53371, CVE-2010-1848)
* Security Fix: The server was susceptible to a buffer-overflow attack
due to a failure to perform bounds checking on the table name
argument of a COM_FIELD_LIST command packet. By sending long data
for the table name, a buffer is overflown, which could be exploited
by an authenticated user to inject malicious code. (Bug#53237,
CVE-2010-1850)
* Security Fix: The server could be tricked into reading packets
indefinitely if it received a packet larger than the maximum size of
one packet. (Bug#50974, CVE-2010-1849)
This release fixes a large number of bugs and security vulnerabilities
including SA37372.
For detailed list of all the changes since 5.0.67 have a look here, please:
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-x.html
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
For complete changes, please refer
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html.
Here is a part of it.
Functionality added or changed:
Security Enhancement:
To enable stricter control over the location from which user-defined
functions can be loaded, the plugin_dir system variable has been
backported from MySQL 5.1. If the value is non-empty, user-defined
function object files can be loaded only from the directory named by this
variable. If the value is empty, the behavior that is used before 5.0.67
applies: The UDF object files must be located in a directory that is
searched by your system's dynamic linker. (Bug#37428)
Important Change: Incompatible Change:
The FEDERATED storage engine is now disabled by default in the .cnf files
shipped with MySQL distributions (my-huge.cnf, my-medium.cnf, and so
forth). This affects server behavior only if you install one of these
files. (Bug#37069)
Cluster API: Important Change:
Because NDB_LE_MemoryUsage.page_size_kb shows memory page sizes in bytes
rather than kilobytes, it has been renamed to page_size_bytes. The name
page_size_kb is now deprecated and thus subject to removal in a future
release, although it currently remains supported for reasons of backward
compatibility. See The Ndb_logevent_type Type, for more information about
NDB_LE_MemoryUsage. (Bug#30271)
Important Change:
Some changes were made to CHECK TABLE ... FOR UPGRADE and REPAIR TABLE
with respect to detection and handling of tables with incompatible .frm
files (files created with a different version of the MySQL server). These
changes also affect mysqlcheck because that program uses CHECK TABLE and
REPAIR table, and thus also mysql_upgrade because that program invokes
mysqlcheck.
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
the termcap libraries. Including termcap.buildlink3.mk (indirectly
through including readline/buildlink3.mk) will do the right thing.
+ Remove readline dependency from Makefile.common and add it into
mysql5-client/Makefile. Only the -client package needs and uses
readline. The -server package only "needs" it to placate the
configure script, but none of its installed binaries are linked
against it.
+ Add full DESTDIR support to the -client and -server packages.
Bump the PKGREVISION of mysql5-client to 3.
The PKGREVISION of mysql5-server remains unchanged since there are
no user-visible changes to the binary package.
Change since version 5.0.41:
- Functionality added or changed:
- A new status variable, Com_call_procedure, indicates the number of calls
to stored procedures. (Bug#27994)
- NDB Cluster: The server source tree now includes scripts to simplify
building MySQL with SCI support. For more information about SCI
interconnects and these build scripts, see Section 15.9.1,
Configuring MySQL Cluster to use SCI Sockets. (Bug#25470)
- Prior to this release, when DATE values were compared with DATETIME values
the time portion of the DATETIME value was ignored. Now a DATE value is
coerced to the DATETIME type by adding the time portion as 00:00:00. To
mimic the old behavior use the CAST() function in the following way:
SELECT date_field = CAST(NOW() as DATE);. (Bug#28929)
- A large number of bugs including these security problems have been fixed:
- A malformed password packet in the
connection protocol could cause the server to crash. Thanks for Dormando
for reporting this bug and providing details and a proof of concept.
(Bug#28984)
- CREATE TABLE LIKE did not require any privileges on the source table. Now
it requires the SELECT privilege. (Bug#25578)
- In addition, CREATE TABLE LIKE was not isolated from alteration by other
connections, which resulted in various errors and incorrect binary log
order when trying to execute concurrently a CREATE TABLE LIKE statement
and either DDL statements on the source table or DML or DDL statements on
the target table. (Bug#23667)
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
* Added the SHOW PROFILES and SHOW PROFILE statements to display statement
profile data, and the accompanying INFORMATION_SCHEMA.PROFILING table.
* Added the Uptime_since_flush_status status variable, which indicates the
number of seconds since the most recent FLUSH STATUS statement.
* Incompatible change in DATE_FORMAT().
* NDB Cluster: The LockPagesInMainMemory configuration parameter has changed
its type and possible values.
* The bundled yaSSL library was upgraded to version 1.5.8.
* The --skip-thread-priority option now is enabled by default for binary Mac
OS X distributions. Use of thread priorities degrades performance on Mac OS X.
* Added the --disable-grant-options option to configure.
* Bug fixes.
This is a bugfix release for the current production release family.
MySQL 5.0.26 introduced an ABI incompatibility, which this release
reverts. Programs compiled against 5.0.26 are not compatible with
any other version and must be recompiled.
This is a bugfix release for the current production release family.
It replaces MySQL 5.0.24.
Changes from 5.0.24 to 5.0.24a:
MySQL 5.0.24 introduced an ABI incompatibility, which this release reverts.
Programs compiled against 5.0.24 are not compatible with any other version
and must be recompiled.
Closing of temporary tables failed if binary logging was not enabled.
For statements that have a DEFINER clause such as CREATE TRIGGER or
CREATE VIEW, long usernames or hostnames could cause a buffer overflow.
Pathname separator and device characters were not correctly parameterized
for NetWare, causing mysqld startup errors.
mysqld could crash when closing temporary tables.
Changes since version 5.0.22:
- Security fix: If a user has access to MyISAM table t, that user can
create a MERGE table m that accesses t. However, if the user's
privileges on t are subsequently revoked, the user can continue to
access t by doing so through m. If this behavior is undesirable, you
can start the server with the new --skip-merge option to disable the
MERGE storage engine. (Bug#15195)
- In the INFORMATION_SCHEMA.ROUTINES table the ROUTINE_DEFINITION
column now is defined as NULL rather than NOT NULL. Also, NULL rather
than the empty string is returned as the column value if the user does
not have sufficient privileges to see the routine
definition. (Bug#20230)
- Several other bug fixes
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto