Debian has posted an announcement for a mysql-security-update: http://www.debian.org/security/2004/dsa-562 The CVE Numbers are CAN-2004-0835, CAN-2004-0836, CAN-2004-0837. The vulnerability-reports at CVE are not yet public. I don't know if a version bump to 4.0.21 fixes the problem.
From the listed CVE#, this is a dupe of 67062 (but I can't close it as such as I don't have access to 67062).
*** This bug has been marked as a duplicate of 67062 ***