I have discovered multiple SQL injection vulnerabilities in MariaDB. All versions are affected (All versions of MySQL back to at least 5.1 are also affected). The issue is multiple places in the code where SQL statements are generated and written into the binary log. User-supplied identifiers (table names, field names, etc.) are not properly quoted (eg. `speci``al name`), so authorised users with access to modify a table can inject arbitrary SQL into the binlog. Such injected SQL will be executed by the slave and could be executed with root privileges if a DBA does a mysqlbinlog|mysql style point-in-time recovery. This is the reason this is escalated as a security issue. For the normal MySQL replication (master-slave, not mysqlbinlog|mysql), these bugs do not seem to have security implications, although they can still provoke syntax errors that abort the replication or cause data corruption on the slave. Just to be clear: to exploit this requires a valid account on the server with privileges to modify data. So there is no remote exploit. Patches for the vulnerabilities can be found here: MariaDB 5.1: http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3151.1.1 bzr log -p -rrevid:knielsen@knielsen-hq.org-20120824080616-0i6chxe8bjto8b7y lp:maria/5.1 MariaDB 5.2: http://bazaar.launchpad.net/~maria-captains/maria/5.2/revision/3163.1.1 bzr log -p -rrevid:knielsen@knielsen-hq.org-20120824103246-3dnymbhrajm36ky4 lp:maria/5.2 MariaDB 5.3: http://bazaar.launchpad.net/~maria-captains/maria/5.3/revision/3556.1.2 bzr log -p -rrevid:knielsen@knielsen-hq.org-20120824120232-fq2i5463qwpnws6u lp:maria/5.3 MariaDB 5.5: http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/3508 bzr log -p -rrevid:knielsen@knielsen-hq.org-20120824132901-h62tb4n77ffj9shb lp:maria/5.5 We will be releasing new MariaDB versions containing these patches shortly. I suggest to plan public disclosure of this bug on September 17; hopefully this should be sufficient time for everyone to update releases. Until then, some reasonable discression about the issue is requested. Here is the bug that will be used after disclosure: https://mariadb.atlassian.net/browse/MDEV-382 - Kristian.