MySQL Enterprise Audit now supports compression and encryption of audit log files. Encryption is based on a user-defined password. To use this feature, the MySQL keyring must be enabled because audit logging uses it for password storage. MySQL Enterprise Audit also now supports logging in JSON format, in addition to the existing XML formats. For JSON format, functions are available that provide runtime log reading capabilities. For additional information, see MySQL Enterprise Audit.

(WL #8838)

For RHEL, SLES, and Fedora RPMs, the default plugin directory for debug builds has been changed from /usr/lib64/mysql/plugin to /usr/lib64/mysql/plugin/debug. (Bug #27072155, Bug #88363)

The installation scripts for MySQL Enterprise Audit and MySQL Enterprise Firewall now create their associated tables in the mysql system database as InnoDB rather than MyISAM tables. (Bug #26323351, Bug #26906601)

The hardcoded memory page size of 8KB for the memory-mapped transaction coordinator was too small for platforms such as ARM64 and PowerPC where the page size is much larger. The server now invokes a system call to get the page size of the current platform rather than using a hardcoded value. A consequence for the --log-tc-size option is that the minimum and default values are now 6 times the page size. Also, the value must be a multiple of the page size. Thanks to Alexey Kopytov for the patch. (Bug #23014086, Bug #80818, Bug #26931470, Bug #87995)

InnoDB: The innodb_undo_tablespaces configuration option is deprecated and will be removed in a future MySQL version. (WL #10473)

Replication: The group_replication_allow_local_disjoint_gtids_join system variable has been deprecated and is scheduled for removal in a future MySQL version. (WL #11138)

mysqlpump no longer includes the SQL_NO_CACHE modifier in statements because that modifier is now deprecated and results in deprecation warnings. (Bug #26694675)

The Performance Schema setup_timers table is now deprecated, to be removed in MySQL 8.0, as is the TICK row in the performance_timers table. (Bug #18296337, WL #10985, WL #10986)

MySQL now supports key migration between underlying keyring keystores, permitting DBAs to switch a MySQL installation from one keyring plugin to another. See Migrating Keys Between Keyring Keystores.

MySQL Enterprise Edition now includes a keyring plugin, keyring_encrypted_file, that is similar to the keyring_file plugin in its use of a local data file for key storage, but that also encrypts the file based on a user-defined password. See Using the keyring_encrypted_file Encrypted File-Based Keyring Plugin. (WL #9769)

For the LDAP authentication plugins, handling of the group search attribute indicated by the authentication_ldap_sasl_group_search_attr and authentication_ldap_simple_group_search_attr system variables is more flexible. If the group search attribute is isMemberOf, LDAP authentication directly retrieves the user attribute isMemberOf value and assign it as group information. If the group search attribute is not isMemberOf, LDAP authentication searches for all groups where the user is a member. (The latter is the default behavior.) This behavior is based on how LDAP group information can be stored two ways: 1) A group entry can have an attribute named memberUid or member with a value that is a user name; 2) A user entry can have an attribute named isMemberOf with values that are group names. (Bug #26317645)

The LDAP authentication plugins now permit the authentication string that provides user DN information to begin with a + character. In the absence of this character, the authentication string value is treated as is without modification, as it has been previously. If the authentication string begins with +, the plugin constructs the full user DN value from the account user name as the cn attribute value, together with the authentication string (with the + removed). The authentication string is stored as given in the mysql.user system table, with the full user DN constructed on the fly before authentication.

This account authentication string does not have + at the beginning, so it is taken as the full user DN:

CREATE USER 'admin'
  IDENTIFIED WITH authentication_ldap_simple
  BY "cn=admin,ou=People,dc=example,dc=com";

This account authentication string does have + at the beginning, so it is taken as just part of the full user DN:

CREATE USER 'accounting'
  IDENTIFIED WITH authentication_ldap_simple
  BY "+ou=People,dc=example,dc=com";

In this case, the full user DN is constructed using accounting as the cn attribute together with the authentication string, to yield "cn=accounting,ou=People,dc=example,dc=com". (Bug #26147775)

For the LDAP authentication plugins, the group search attribute was fixed and not configurable. Two new system variables now enable using custom group filters: authentication_ldap_sasl_group_search_filter and authentication_ldap_simple_group_search_filter. (Bug #26091340)

Incompatible Change: Passwords are now restricted to a maximum of 256 characters for the sha256_password authentication plugin, and for the PASSWORD() function when old_passwords=2. Also, the number of password hashing rounds is capped to limit CPU time used. (Bug #27099029, Bug #27194270)

The linked OpenSSL library for the MySQL Commercial Server has been updated to version 1.0.2n. Issues fixed in the new OpenSSL version are described at http://www.openssl.org/news/vulnerabilities.html.

This change does not affect the Oracle-produced MySQL Community build of MySQL Server, which uses the yaSSL library instead. (Bug #27212666, Bug #27236394)

Documentation for the MySQL Test Suite is now maintained in the MySQL source tree using Doxygen (see the MySQL Server Doxygen documentation, available at https://dev.mysql.com/doc/index-other.html.) The related Unix man pages that previously were produced from the old test suite manual are no longer updated and have gone out of date. Consequently, they are no longer included in MySQL distributions. (Bug #27021754)

The MySQL test suite now includes CRC32() tests. Thanks to Daniel Black for the patch. (Bug #26495791, Bug #87136)

Group Replication: Host names can now be specified as part of a whitelist for group replication connections, using the group_replication_ip_whitelist system variable. Host names support CIDR notation. Host names that resolve to IPv6 addresses are not supported.

For host names, name resolution takes place only when a connection request is made by another server. A host name that cannot be resolved is not considered for whitelist validation, and a warning message is written to the error log. Forward-confirmed reverse DNS (FCrDNS) verification is carried out for resolved host names.

(WL #10803, WL #11298)

The -DWITH_ASAN_SCOPE CMake option enables the AddressSanitizer -fsanitize-address-use-after-scope Clang flag for use-after-scope detection. The default is off. To use this option, -DWITH_ASAN must also be enabled. (Bug #27095089)

Important Change; Partitioning: Checking for tables that used the generic partitioning handler could cause delays of several minutes when starting the MySQL Server. To keep this from happening, the --disable-partition-engine-check option is now enabled by default. (Bug #85830, Bug #25846957)

Performance; JSON: Creating a representation of a JSON string now optimizes for the most common case—that the string to be processed contains no special characters that need to be escaped—scanning for the first special character in the string, and copying each sequence of characters which do not require escaping in a single memcpy() call, rather than checking each character in turn to determine whether it needed to be escaped, escaping it if so, and then copying it, one by one, as was done previously.

This fix also corrects a failure to escape the control character \u001f, or unit separator character. (Bug #86898, Bug #26388690, Bug #87722, Bug #26780307)

References: See also: Bug #25977595.

InnoDB: Multiple updates from different clients on a partitioned table caused an unexpected lock wait timeout due to an incorrectly set lock type. (Bug #26731025, Bug #87619)

InnoDB: An ALTER TABLE operation caused the server to halt. (Bug #26492721)

InnoDB: The innodb_table_stats data dictionary table was not updated with new partition names when renaming a partitioned table. (Bug #26390658, Bug #86927)

InnoDB: A FLUSH TABLES operation failed to drop an aborted index. While removing the table from the cache, the clustered index was dropped prior to checking for the aborted index. (Bug #26256456, Bug #86607)

InnoDB: An iterative approach to processing foreign cascade operations resulted in excessive memory use. (Bug #26191879, Bug #86573)

References: This issue is a regression of: Bug #16244691.

InnoDB: An INSERT operation on a table with a spatial index raised an assertion due to a failure that occurred during a lock conflict check. (Bug #25729649)

InnoDB: Warnings that should only appear in debug builds of MySQL were printed to the error log when the length of the history list exceeded 2000000. (Bug #24296076, Bug #82213)

InnoDB: Attempting to reduce the buffer pool size to less than the buffer pool chunk size did not report a warning. (Bug #23590280)

InnoDB: A “wrong key column” error was added to address an unsupported index creation scenario. (Bug #22486025)

InnoDB: Full-text search on indexed columns that use a binary collation did not return case-sensitive matches. (Bug #21625016, Bug #78048)

Packaging: When trying to install MySQL Server on Fedora 27 using the MySQL Yum repository, installation failed due to a conflict with the native mariadb-connector-c-devel package. With this fix, the appropriate “obsoletes” have been added for that and other native packages. (Bug #26963839)

Replication: The fix for Bug #26117735 (MySQL Bug #86288) could cause a debug assertion when running mysqlbinlog with the --read-from-remote-server option and the --rewrite-db option, depending on the database names specified in the rewrite rule. The issue has now been corrected. (Bug #26878022)

Replication: With MySQL compiled using yaSSL, and semisynchronous replication in use, a deadlock could be caused by incorrect handling of acknowledgement packets. Multiple acknowledgement packets can be read together by yaSSL, but the receiver thread for semisynchronous replication only handled the first acknowledgement packet seen after polling. Now, the receiver thread handles all acknowledgement packets that are present in the buffer. (Bug #26865538)

Replication: With semisynchronous replication in use, if RESET MASTER was issued while an active transaction was waiting for an acknowledgement from the slave, the count of waiting sessions in the Rpl_semi_sync_master_wait_sessions server status variable was incorrect after the wait was completed. (Bug #26748533)

Replication: XA ROLLBACK statements that failed because an incorrect transaction ID was given, could be recorded in the binary log with the correct transaction ID, and could therefore be actioned by replication slaves. A check is now made for the error situation before binary logging takes place, and failed XA ROLLBACK statements are not logged. (Bug #26618925, Bug #87393)

Replication: The receiver thread for semisynchronous replication was not able to receive acknowledgements from slaves that used compression of the master/slave protocol (slave_compressed_protocol=ON). The receiver thread now handles compressed acknowledgements correctly. (Bug #26027024, Bug #86230)

Replication: On replication slaves, in the XA_STATE field in the Performance Schema table events_transactions_current, the state of XA transactions was incorrectly reported as COMMITTED instead of PREPARED after the XA PREPARE statement was applied on the slave. (Bug #25940184)

Replication: In a multi-source replication topology, a memory leak could occur on the slave when binlog_rows_query_log_events was enabled on the master, and a statement already applied from another channel was skipped on the slave. In this situation, the instance of the Rows_query log event stored on the slave was not being deleted. The log event instance is now cleaned up and the memory is freed. Thanks to Vlad Lesin for his contribution to the patch. (Bug #25695434, Bug #85371, Bug #85034)

Replication: A memory leak was fixed in GTID-based replication. Memory was not being freed after the repository tables were updated for skipped or ignored events. (Bug #25656123, Bug #85251)

Replication: When a worker thread on a multithreaded slave failed to apply a transaction on which a later transaction depended, the coordinator thread could begin scheduling the dependent transaction before being notified of the issue. If a STOP SLAVE request was made during this situation, it caused an assertion to be raised in debug builds. (Bug #25585436)

Replication: With statement-based replication in use, if an UPDATE or DELETE statement was used inside an XA transaction ending with XA COMMIT ONE PHASE, and the statement did not affect any rows, a replication error occurred. An XA END statement was not written to the binary log, so slave servers identified the XA transaction as still being active at the time of the commit request. The required XA END statement is now written even if the transaction affected no rows. (Bug #24812958, Bug #83295)

Replication: During distributed recovery as part of joining the group, when the applier was signaling that it had applied all transactions, it was also blindly searching for partial transactions. This was to avoid future applier errors, which would happen if the applier stopped at this point. However, this search and remove only made sense for applier stop cases. Upon execution completeness it should not be done, otherwise it can corrupt or purge the applier relay log, which can led to data loss. To solve this issue, when the applier is waiting for execution completeness, it no longer searches for and removes partial transactions. (Bug #88304, Bug #27049034)

Replication: In a group with heavy load, joining members could need to retrieve a large amount of data to gain synchrony with the group. If the amount of data retrieved exceeded the View_change packet size of 4Mb the members would fail to join the group and enter Error state. Now, the packet size is taken from slave_max_allowed_packet, which defaults to 1GB. Depending on the load your group processes, you might want to increase the packet size further by configuring slave_max_allowed_packet. (Bug #87701, Bug #26770576)

Replication: In a group where a joining member consistently received transactions, the joining member could sometimes not enter the online state. This was due to the way the incoming queue of messages was tested. (Bug #87631, Bug #26731317)

Group Replication; Microsoft Windows: On Windows, errors generated by Group Replication now contain a detailed error message rather than just the error number. (Bug #24918678)

Group Replication: When group_replication_enforce_update_everywhere_checks is ON, the Group Replication plugin checks whether there are any foreign key cascades and disallows updates to tables affected by them.

SET NULL operations were not checked as part of this process, which could lead to data inconsistency. Now, when this value is ON, operations on child tables are blocked if the table has a SET NULL option configured. (Bug #25404162)

Group Replication: All servers that belong to a group must have unique UUIDs set by server_uuid, but this was not enforced by Group Replication, so that it was possible to add members with duplicate UUIDs. (Bug #88452, Bug #27105803)

Group Replication: When starting or stopping, the Group Replication plugin executes internal operations on the server such as enabling or disabling read only mode using an internal session. When this internal session was opened, if the total number of sessions exceeded the number of permitted open sessions set by max_connections, the operation failed as expected but a thread was left behind, which later caused issues. (Bug #88182, Bug #27008102, Bug #27016552)

Group Replication: If Group Replication was configured to start on server boot when the server was being initialized using --initialize or --initialize-insecure, because the replication applier infrastructure was not initialized, this resulted in an assertion. Now, Group Replication is not started when the server is being initialized. (Bug #87759, Bug #26802395)

Group Replication: Regardless of the number of virtual IPs configured on a machine, Group Replication could access only the first 12 addresses. (Bug #86772, Bug #26324852)

Microsoft Windows: On Windows, with the myisam_use_mmap and flush system variables enabled, MyISAM did not always flush table files properly. (Bug #26880757)

Microsoft Windows: On Windows, resolution was improved of a timer used for query performance assessment. (Bug #22305994, Bug #26734457)

JSON: When inserting JSON values created from the result of a GROUP BY query, the inserted values could sometimes include the concatenation of all the values previously inserted into that column. (Bug #87854, Bug #26867509)

In event items in filter rules, the audit_log plugin did not properly process values specified as a JSON array. (Bug #27010045)

VALUES() was not handled correctly in some cases. (Bug #26881946)

References: See also: Bug #19601973, Bug #17458914.

In some cases, virtual generated column expressions containing comparison operators could cause problems with subsequent statements accessing the same table. (Bug #26881855)

For debug builds, validation checks on relevant generated columns could be missed for UPDATE statements, leading to a server exit. (Bug #26838771)

The default value of the authentication_ldap_sasl_auth_method_name system variable was incorrectly set to SIMPLE rather than SCRAM-SHA-1, and the variable could be set to impermissible values. (Bug #26838525, Bug #26093370)

Linux distributions used different SASL library versions, depending on package type. (Bug #26773194)

Following an INSERT statement with BLOB values in the ON DUPLICATE KEY UPDATE clause that failed with a constraint violation, a similar statement with no reason to return an error could cause a server exit. (Bug #26734162)

The Performance Schema now stores rewritten rather than raw SQL statement text when available. (Bug #26732229)

Incorrect results or a server exit could result when SHA2() was passed a user-defined variable in some character sets. (Bug #26704451)

Building with the -DWITHOUT_SERVER=ON CMake option failed due to attempting to link the authentication_ldap_sasl_client client-side plugin against the embedded server library. (Bug #26665217)

Setting authentication_ldap_simple_max_pool_size=0 and authentication_ldap_simple_init_pool_size=0 at runtime did not disable the LDAP connection pool for the authentication_ldap_simple authentication plugin. (Bug #26646063)

Accounts that use an LDAP authentication plugin and were created without any authentication string could be authenticated by the LDAP server regardless of password specified at connect time. (Bug #26634245)

Incorrect results could be returned for queries that used an outer join and a derived table referenced a const value from an inner table of the outer join. (Bug #26627181)

AFTER UPDATE triggers were not invoked for INSERT ... ON DUPLICATE KEY UPDATE when the value to be updated and the new value were the same. (Bug #26626277, Bug #87371)

Changing the UMASK and UMASK_DIR environment variables from their default values had no effect on database directory and table file access. (Bug #26529942)

Creating a table with excessive index information could cause a server exit. (Bug #26529369)

MSI packages for Windows failed to detect when Microsoft Visual C++ 2010 Redistributable Package was installed. (Bug #26501092, Bug #87139)

audit_log plugin THD objects could be created with incorrect thread ID information, leading to assertion failure. (Bug #26362452)

When HASH_SCAN was specified as one of the values for the slave_rows_search_algorithms system variable, which is the default from MySQL 8.0.2, and row-based replication was in effect, updates to a table containing virtual generated fields could raise an assertion. The issue was caused by an error when generating string representations of the virtual generated fields in order to create hashes for use in searches. To remove the issue, MySQL no longer creates hashes for virtual generated fields. (Bug #26280724)

Attempting a partial backup with mysqlpump on a GTID-enabled server failed and produced an error message suggesting incorrectly that this was not possible. (It is possible using the --set-gtid-purged option.) (Bug #26199978)

The Performance Schema could leak memory due to nondeletion of file instances created for ALTER TABLE operations that used the table-copy algorithm. (Bug #26152751, Bug #86482)

mysqlpump did not properly parse TABLESPACE clauses in the result from SHOW CREATE TABLE statements it executed to determine table structure. (Bug #26116415)

Some statements could cause a buffer overflow in the digest code. Thanks to Laurynas Biveinis and Roel van de Paar for the patch. (Bug #26021187)

Previously, when the Performance Schema failed to initialize, it wrote a nonspecific init failed warning to the error log. Now it prints more specific messages about which memory allocation failed. (Bug #25996291)

Incorrect results could occur on a table with a unique index when the optimizer chose a Loose Index Scan even though the unique index had no index extensions. (Bug #25989915, Bug #86165, Bug #26532061, Bug #87207)

References: This issue is a regression of: Bug #21749123, Bug #78244.

Restarting the LDAP server could cause LDAP authentication plugins that used a connection pool to fail to authenticate properly. (Bug #25989788)

CREATE USER IF NOT EXISTS was not written to the binary log if the user existed. This could result in inconsistent replication behavior if the user did not exist on slave servers. A similar issue occurred for ALTER USER IF EXISTS. To avoid inconsistencies, these statements now are written to the binary log. (Bug #25813089, Bug #85733)

Incorrect handling of internal memory buffers could cause a server exit. (Bug #25737271)

MySQL did not compile with GCC 7. (Bug #25643811, Bug #26825211)

Executing a stored procedure containing a statement that created a table from the contents of certain SELECT statements could result in a memory leak. (Bug #25586773)

When an UPDATE required a temporary table having a primary key larger than 1024 bytes and that table was created using InnoDB, the server could exit. (Bug #25153670)

For geometry calculations, invalid input parameters could lead to an incorrect result buffer and cause an assertion to be raised or a server exit. (Bug #25062396)

Under some conditions, the audit_log plugin could recursively lock a mutex, resulting in an unresponsive server. (Bug #24437533)

In some cases, the optimizer chose a Loose Index Scan (QUICK_GROUP_MIN_MAX_SELECT) for a GROUP BY query even when there was a predicate with a disjunction. This is fixed by not performing a range scan when the condition in the WHERE clause results in more than one disjoint range tree. (Bug #24423143)

Setting the MYSQL_GROUP_SUFFIX environment variable had no effect. (Bug #23072792)

Queries with many left joins were slow if join buffering was used (for example, using the block nested loop algorithm). (Bug #18898433, Bug #72854)

A prepared statement containing an ORDER BY list that referred to a parameter was not always handled correctly. (Bug #87863, Bug #26867652)

The server handled triggers and generated columns incorrectly. (Bug #86637, Bug #26251621)