RPM and Debian packages now create the
/var/lib/mysql-filesdirectory, which is now the default value of the
secure_file_privsystem variable that specifies a directory for import and export operations. (Bug #24709892, Bug #24761774)
Security Fix: The linked OpenSSL library for the MySQL Commercial Server has been updated to version 1.0.1u. For a description of issues fixed in this version, see http://www.openssl.org/news/vulnerabilities.html.
This change does not affect the Oracle-produced MySQL Community build of MySQL Server, which uses the yaSSL library instead. (Bug #24753389)
Incompatible Change: The
secure_file_privsystem variable is used to limit the effect of data import and export operations. The following changes have been made to how the server handles this variable:
secure_file_privcan be set to
NULLto disable all import and export operations.
The server checks the value of
secure_file_privat startup and writes a warning to the error log if the value is insecure. A non-
NULLvalue is considered insecure if it is empty, or the value is the data directory or a subdirectory of it, or a directory that is accessible by all users. If
secure_file_privis set to a nonexistent path, the server writes an error message to the error log and exits.
secure_file_privsystem variable was empty by default. Now the default value is platform specific and depends on the value of the
INSTALL_LAYOUTCMake option, as shown in the following table.
To specify the default
secure_file_privvalue explicitly if you are building from source, use the new
INSTALL_SECURE_FILE_PRIVDIRCMake option. To specify a directory for the embedded server, set the new
INSTALL_SECURE_FILE_PRIV_EMBEDDEDDIRoption. Its default value is
(Bug #24679907, Bug #24695274, Bug #24707666)
yaSSL was upgraded to version 2.4.2. This upgrade corrects issues with: Potential AES side channel leaks; DSA padding for unusual sizes; the
SSL_CTX_load_verify_locations()OpenSSL compatibility function failing to handle long path directory names. (Bug #24512715, Bug #24740291)