April 16, The H – (International) Oracle accidentally release MySQL DoS proof of concept. Oracle accidentally released a MySQL denial-of-service (DoS) proof of concept in the process of fixing the same problem. In March, the company released updates to MySQL, versions 5.5.22 and 5.1.62, which referred in their changes to “Security Fix: Bug #13510739 and Bug #63775 were fixed” with no other details on the problems. It is a common practice to keep secret details of issues that could be used against older versions of software; even the bug reports for 13510739 and 63775 were not yet publicly available. However, as a security researcher found, Oracle also shipped the new MySQL versions with a development script “mysqltest/suite/innodb/t/innodb_bug13510739.test” in the source that appeared to be not only part of the automated testing for MySQL, but also a proof of concept for the flaw that crashes MySQL 5.5.21 and earlier versions. The researcher posted the script on Pastebin; it requires authenticated access and appropriate privileges to be run, which - 20 - mitigates the problem to a certain degree.
Ali Loney, on April 16, 2012