SECURITY RELEASE - Buffer overflow in DBD::mysql perl library

DBD::mysql is the perl DBI driver for MySQL and the primary way Perl applications and scripts access MySQL and MariaDB databases. The source repository is at

A vulnerability was discovered that can lead to a buffer overflow, possibly triggered by user supplied data. This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005.

The CVE identifier for this vulnerability is CVE-2016-1246.

Version 4.037, including the fix for this vulnerability, is available on CPAN at

Users of DBD::mysql are advised to patch their installations as soon as possible.

We have already made a pre-announcement for this security release at the distros security mailing list. People using DBD::mysql installed from their (linux) distributions can expect to receive an updated version soon.

Many thanks to Pali Rohár for discovering and fixing the vulnerability.

The DBD::mysql maintainers, Patrick Galbraith Michiel Beijen

Test release for DBD::mysql available - ssl by default

Dear Perl and MySQL community,

We're pleased to announce the release of DBD::mysql 4.033_01, the Perl DBI driver for MySQL and MariaDB databases. This is not a 'stable' release but merely for testing and feedback. We'll put out a stable 4.034 release soon; probably before christmas.

Linking against SSL by default?

Apart from that, I'd like to announce that we might want to link to SSL by default. MySQL 5.7 makes SSL connections to databases more common; right now in DBD::mysql you'd need to pass an option to Makefile.PL (--ssl) in order to enable linking to libssl. Of course, many people (and linux distributions!) don't do this by default. On the expense of the added dependency to libssl we'd want to default to compiling against libssl. We'd introduce a --nossl flag for the cases where you'd explicitly NOT want to link to SSL. When DBD::mysql is compiled against libssl you can still make connections to not-sslified servers.

Any feedback (+1's, remarks or objections) would be appreciated!

Changelog for this development release

2015-12-15 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.033_01)

  • Raise minimum DBI version to 1.609 (from 2009!) in order to make tests pass on RHEL5.
  • Add explicit documentation for how to enable SSL at build time, provided by genio.
  • Improve test suite to make it more robust using mixed versions of client and server.
  • Fix use after free error in my_login, provided by hannob.
  • Add explicit instructions stating brackets are required around ipv6-addresses in connection strings, provided by Kenny Gryp.

Release on CPAN:

UPDATE, UPDATE, read all about it!

After feedback we've decided to make the jump, which was probably long overdue, and link to SSL by default as proposed above. There's a new development release with these changes on CPAN.

2015-12-18 Patrick Galbraith, Michiel Beijen, DBI/DBD community (4.033_02)

  • Compile against libssl by default. This allows to connect against remote MySQL servers using SSL. Previously this was only achieved with an explicit switch provided to Makefile.PL - if for some reason you can't or don't wantto link against libssl, you can use the new --nossl switch to Makefile.PL.
  • Made tests more robust after CPAN Testers failures.

Release on CPAN:

Github repo:


Patrick and Michiel

A little nicer way to use smartmatch on perl 5.18


Of course as Perl developers we all love new features, don't we?

So the moment we could work with perl 5.10 we all started using smartmatch, right? If not for the only reason it allows us to write elegant code like this:

use v5.10.1;
@array = qw ( Thom Jonny Colin Ed Phil );
say "I found Phil!" if 'Phil' ~~ @array;

But now we have perl 5.18 and some of the ideas of smartmatch turned out to be a little too smart, and so we now consider it an experimental feature. So even code like this, when executed on a 5.18 perl, gives warnings:

Smartmatch is experimental at line 3.
I found Phil!

brian d foy wrote about how to stop these warnings, but it's not pretty:

no warnings 'experimental::smartmatch';

This works under perl 5.18 but gives nasty error messages under older perls:

Unknown warnings category 'experimental::smartmatch' at line 3.
BEGIN failed--compilation aborted at line 3.

so the 'best' way to do it is like below:

no if $] >= 5.017011, warnings => 'experimental::smartmatch';

Ugly, right? That is why Leon Timmermans created experimental, a CPAN module that allows you to simply write:

use experimental 'smartmatch';

That's much better! I can remember that, and it's readable. I hope you like it as much as I do!

Of course this does not alleviate the problem that smartmatch is now considered experimental, which means that its implementation is probably going to change in upcoming perls.

POP3 with TLS in Perl

The famous libnet modules provide Perl programmers with a low level interface to POP3 and SMTP servers, among others.

This works fine in general but over the past years most mail servers stopped offering 'plain' SMTP and POP3 access, but use either SSL or TLS encryption. This has lead to a plethora of modules on CPAN to support SMTP via SSL or TLS and also for POP3 via SSL. Until recently this was not the case for POP3 using TLS security. But earlier this week Steffen Ullrich, the maintainer of IO::Socket::SSL, released a new version of Net::SSLGlue that also allows for connecting to POP3 over TLS. And as opposed to many of the other modules, it also allows to verify the SSL certificate on the remote server for extra security. Net::SSLGlue works for Net::SMTP, Net::POP3, Net::LDAP, and LWP.

Here is an example of how you can connect to a POP3 mail server over TLS:

On Unicode and Sorting

Tom Christiansen published an article on on the topic of sorting and unicode.

It's good and it explains a little bit about why Unicode is so difficult and why sorting Unicode (or even ascii) is even more difficult, mainly because it depends on your local definitions what results you expect from a sorting operation.

It might be nice to point out that the modules he proposes on using, Unicode::Collate, and ="https:/…