Description:
There is no limit as to how many statements can be open per connection or MySQL server.
That can lead to a Denial Of Server attack, as the server will crash with OOM (out of
memory) when the amount of statements becomes gigantic.
The solution is to add a global server variable max_stmt_count that would limit the total
amount of prepared statements (and cursors) per server. 
The default value of the variable shall be 16382 (average size of a statement is 80k, so
this number limits the total possible amount of consumed memory with 1.3G)

How to repeat:
See description.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/4126

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/4658

Pushed into 4.1.19 and merged into 5.0.21

Fix merged into 5.1.10.

Noted in 4.1.19, 5.0.21, 5.1.10 changelogs.

<emphasis role="bold">Security enhancement</emphasis>: Added
the global <literal>max_prepared_stmt_count</literal> system
variable to limit the total number of prepared statements in
the server. This limits the potential for denial-of-service
attacks based on running the server out of memory by preparing
huge numbers of statements. The current number of prepared
statements is available through the
<literal>prepared_stmt_count</literal> system variable. (Bug
#16365)

Also updated the list of system variables in the database
administration chapter.