DBD::mysql is the perl DBI driver for MySQL and the primary way Perl applications and scripts access MySQL and MariaDB databases. The source repository is at https://github.com/perl5-dbi/DBD-mysql.

A vulnerability was discovered that can lead to a buffer overflow, possibly triggered by user supplied data. This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005.

The CVE identifier for this vulnerability is CVE-2016-1246.

Version 4.037, including the fix for this vulnerability, is available on CPAN at https://metacpan.org/pod/DBD::mysql

Users of DBD::mysql are advised to patch their installations as soon as possible.

We have already made a pre-announcement for this security release at the distros security mailing list. People using DBD::mysql installed from their (linux) distributions can expect to receive an updated version soon.

Many thanks to Pali Rohár for discovering and fixing the vulnerability.

The DBD::mysql maintainers, Patrick Galbraith Michiel Beijen