Bug #65461 mysql_upgrade should warn when pre-4.1 passwords found
Submitted: 30 May 2012 14:14 Modified: 28 Jul 2012 22:48
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6.5 OS:Any
Assigned to: CPU Architecture:Any

[30 May 2012 14:14] Todd Farmer
Description:
Executing mysql_upgrade with 5.6.5 against a server containing a user account configured with a pre-4.1 password should trigger a warning, but it does not:

D:\>mysql-5.6.5-m8-win32\bin\mysql_upgrade.exe -P3307
Looking for 'mysql.exe' as: D:\mysql-5.6.5-m8-win32\bin\mysql.exe
Looking for 'mysqlcheck.exe' as: D:\mysql-5.6.5-m8-win32\bin\mysqlcheck.exe
Running 'mysqlcheck' with connection arguments: "--port=3307"
Running 'mysqlcheck' with connection arguments: "--port=3307"
mysql.columns_priv                                 OK
mysql.db                                           OK
mysql.event                                        OK
mysql.func                                         OK
mysql.general_log                                  OK
mysql.help_category                                OK
mysql.help_keyword                                 OK
mysql.help_relation                                OK
mysql.help_topic                                   OK
mysql.host                                         OK
mysql.innodb_index_stats                           OK
mysql.innodb_table_stats                           OK
mysql.ndb_binlog_index                             OK
mysql.plugin                                       OK
mysql.proc                                         OK
mysql.procs_priv                                   OK
mysql.proxies_priv                                 OK
mysql.servers                                      OK
mysql.slave_master_info                            OK
mysql.slave_relay_log_info                         OK
mysql.slave_worker_info                            OK
mysql.slow_log                                     OK
mysql.tables_priv                                  OK
mysql.time_zone                                    OK
mysql.time_zone_leap_second                        OK
mysql.time_zone_name                               OK
mysql.time_zone_transition                         OK
mysql.time_zone_transition_type                    OK
mysql.user                                         OK
test.p                                             OK
test.u                                             OK
test.v                                             OK
Running 'mysql_fix_privilege_tables'...
OK 

How to repeat:
Configure 5.6.5 server with an account using a pre-4.1 password.  Run mysql_upgrade.

Suggested fix:
Include warning.
[28 Jul 2012 22:48] Paul Dubois
Noted in 5.6.6 changelog.

mysql_upgrade now produces a warning if it finds user accounts with
passwords hashed with the older pre-4.1 hashing method. Such accounts
should be updated to use more secure password hashing.