Important Change: Partitioning: Security Fix: It was possible, by creating a partitioned table using the DATA DIRECTORY and INDEX DIRECTORY options to gain privileges on other tables having the same name as the partitioned table. As a result of this fix, any table-level DATA DIRECTORY or INDEX DIRECTORY options are now ignored for partitioned tables. (Bug#32091, CVE-2007-5970)

See also Bug#29325, Bug#32111.

Incompatible Change: In MySQL 5.1.6, when log tables were implemented, the default log destination for the general query and slow query log was TABLE. This default has been changed to FILE, which is compatible with MySQL 5.0, but incompatible with earlier releases of MySQL 5.1 from 5.1.6 to 5.1.20. If you are upgrading from MySQL 5.0 to 5.1.21 or higher, no logging option changes should be necessary. However, if you are upgrading from 5.1.6 through 5.1.20 to 5.1.21 or higher and were using TABLE logging, use the --log-output=TABLE option explicitly to preserve your server's table-logging behavior.

The MySQL 5.1.23 fix is in addition to a fix in 5.1.21 because it turned out that the default was set in two places, only one of which was fixed the first time. (Bug#29993)

Incompatible Change

The parser accepted statements that contained /* ... */ that were not properly closed with */, such as SELECT 1 /* + 2. Statements that contain unclosed /*-comments now are rejected with a syntax error.

This fix has the potential to cause incompatibilities. Because of Bug#26302, which caused the trailing */ to be truncated from comments in views, stored routines, triggers, and events, it is possible that objects of those types may have been stored with definitions that now will be rejected as syntactically invalid. Such objects should be dropped and re-created so that their definitions do not contain truncated comments. (Bug#28779)

Security Fix: Replication: It was possible for any connected user to issue a BINLOG statement, which could be used to escalate privileges.

Use of the BINLOG statement now requires the SUPER privilege. (Bug#31611, CVE-2007-6313)

Security Fix: Three vulnerabilities in yaSSL versions 1.7.5 and earlier were discovered that could lead to a server crash or execution of unauthorized code. The exploit requires a server with yaSSL enabled and TCP/IP connections enabled, but does not require valid MySQL account credentials. The exploit does not apply to OpenSSL.

(Bug#33814, CVE-2008-0226, CVE-2008-0227)

Security Fix: Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information by replacing the symbolic link points. the file to which the symlink points.

MySQL will now return an error when the file to which the symlink points already exists. (Bug#32111, CVE-2007-5969)

Security Fix: ALTER VIEW retained the original DEFINER value, even when altered by another user, which could allow that user to gain the access rights of the view. Now ALTER VIEW is allowed only to the original definer or users with the SUPER privilege. (Bug#29908)

Security Fix: When using a FEDERATED table, the local server could be forced to crash if the remote server returned a result with fewer columns than expected. (Bug#29801)

Incompatible Change: It is no longer possible to create CSV tables with NULL columns. However, for backwards compatibility, you can continue to use such tables that were created in previous MySQL releases. (Bug#32050)

Incompatible Change: With ONLY_FULL_GROUP_BY SQL mode enabled, queries such as SELECT a FROM t1 HAVING COUNT(*)>2 were not being rejected as they should have been.

This fix results in the following behavior:

This behavior differs from previous versions as follows:

(Bug#31794)

Incompatible Change: Inserting a row with a NULL value for a DATETIME column results in a CSV file that the storage engine cannot read.

All CSV tables now need to be defined with each column marked as NOT NULL. An error is raised if you try to create a CSV table with columns that are not defined with NOT NULL. (Bug#31473, Bug#32817)

Incompatible Change: SET PASSWORD statements now cause an implicit commit, and thus are prohibited within stored functions and triggers. (Bug#30904)

Incompatible Change: The mysql_install_db script could fail to locate some components (including resolveip) during execution if the --basedir option was specified on the command-line or within the my.cnf file. This was due to a conflict when comparing the compiled-in values and the supplied values.

The --source-install command-line option to the script has been removed and replaced with the --srcdir option. mysql_install_db now locates components either using the compiled-in options, the --basedir option or --srcdir option. (Bug#30759)

Incompatible Change: Multiple-table DELETE statements containing ambiguous aliases could have unintended side effects such as deleting rows from the wrong table. Example:

DELETE FROM t1 AS a2 USING t1 AS a1 INNER JOIN t2 AS a2;

Now alias declarations can be declared only in the table_references part. Elsewhere in the statement, alias references are allowed but not alias declarations. Statements containing aliases that are no longer allowed must be rewritten. (Bug#30234)

See also Bug#27525.

Incompatible Change: Within a stored routine, it is no longer allowable to declare a cursor for a SHOW or DESCRIBE statement. This happened to work in some instances, but is no longer supported. In many cases, a workaround for this change is to use the cursor with a SELECT query to read from an INFORMATION_SCHEMA table that produces the same information as the SHOW statement. (Bug#29223)

Incompatible Change: It was possible to create a view having a column whose name consisted of an empty string or space characters only.

One result of this bug fix is that aliases for columns in the view SELECT statement are checked to ensure that they are legal column names. In particular, the length must be within the maximum column length of 64 characters, not the maximum alias length of 256 characters. This can cause problems for replication or loading dump files. For additional information and workarounds, see Restrictions on Views. (Bug#27695)

See also Bug#31202.

Incompatible Change: Several type-preserving functions and operators returned an incorrect result type that does not match their argument types: COALESCE(), IF(), IFNULL(), LEAST(), GREATEST(), CASE. These now aggregate using the precise SQL types of their arguments rather than the internal type. In addition, the result type of the STR_TO_DATE() function is now DATETIME by default. (Bug#27216)

Incompatible Change: GRANT and REVOKE statements now cause an implicit commit, and thus are prohibited within stored functions and triggers. (Bug#21975, Bug#21422, Bug#17244)

Incompatible Change: It was possible for option files to be read twice at program startup, if some of the standard option file locations turned out to be the same directory. Now duplicates are removed from the list of files to be read.

Also, users could not override system-wide settings using ~/.my.cnf because SYSCONFDIR/my.cnf was read last. The latter file now is read earlier so that ~/.my.cnf can override system-wide settings.

The fix for this problem had a side effect such that on Unix, MySQL programs looked for options in ~/my.cnf rather than the standard location of ~/.my.cnf. That problem was addressed as Bug#38180. (Bug#20748)

Incompatible Change: A number of problems existed in the implementation of MERGE tables that could cause problems. The problems are summarized below:

The fix introduces the following changes in behavior:

(Bug#19627, Bug#25038, Bug#25700, Bug#26377, Bug#26379, Bug#26867, Bug#27660, Bug#30275, Bug#30491)