MySQL 5.0.x before 5.0.51a, 5.1.x before 5.1.23, and 6.0.x before 6.0.4
does not update the DEFINER value of a view when the view is altered, which
allows remote authenticated users to gain privileges via a sequence of
statements including a CREATE SQL SECURITY DEFINER VIEW statement and an
ALTER VIEW statement.
jdstrand> patch from debian works on gutsy and feisty. On edgy and dapper
the test case fails (meaning the patch is incomplete).
Updated: 2012-06-01 15:18:24 UTC (commit 5347)