SECURITY RELEASE - Buffer overflow in DBD::mysql perl library

DBD::mysql is the perl DBI driver for MySQL and the primary way Perl applications and scripts access MySQL and MariaDB databases. The source repository is at

A vulnerability was discovered that can lead to a buffer overflow, possibly triggered by user supplied data. This vulnerability is present in all releases at least back to versions 3.0 of the driver, which were released in 2005.

The CVE identifier for this vulnerability is CVE-2016-1246.

Version 4.037, including the fix for this vulnerability, is available on CPAN at

Users of DBD::mysql are advised to patch their installations as soon as possible.

We have already made a pre-announcement for this security release at the distros security mailing list. People using DBD::mysql installed from their (linux) distributions can expect to receive an updated version soon.

Many thanks to Pali Rohár for discovering and fixing the vulnerability.

The DBD::mysql maintainers, Patrick Galbraith Michiel Beijen

1 Comment

Do I undertand correctly, that only code, which uses bind_param* function family is affected? And If code does not use it, there is no security risk to use old version?

Leave a comment

About Mike B

user-pic I blog about Perl.