MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4
does not update the DEFINER value of a view when the view is altered, which
allows remote authenticated users to gain privileges via a sequence of
statements including a CREATE SQL SECURITY DEFINER VIEW statement and an
ALTER VIEW statement.
jdstrand> patch from debian works on gutsy and feisty. On edgy and dapper
the test case fails (meaning the patch is incomplete).
Updated: 2016-03-23 03:30:09 UTC (commit 10817)