Dear Firebird developers, I've got a bug report for the debian packages for firebrid 1.5 that I can't handle myself. I would be grateful for some insights.
http://bugs.debian.org/432753 There is some uncertainty about four CVE issues with regard of their presence in Firebird 1.5.3. Two of these http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213 CVE-2006-7213 Firebird 1.5 allows remote authenticated users without SYSDBA and owner permissions to overwrite a database by creating a database. and http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7211 CVE-2006-7211 fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semaphore array, which allows local users to cause a denial of service (blocked query processing) by locking semaphores. are unreproducible with Debian packages and thus are not that interesting. The other two, however are rather unclear as of how to reproduce or whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214 CVE-2006-7214 Multiple unspecified vulnerabilities in Firebird 1.5 allow remote attackers to (1) cause a denial of service (application crash) by sending many remote protocol versions; and (2) cause a denial of service (connection drop) via certain network traffic, as demonstrated by Nessus vulnerability scanning. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212 CVE-2006-7212 Multiple buffer overflows in Firebird 1.5, one of which affects WNET, have unknown impact and attack vectors. NOTE: this issue might overlap CVE-2006-1240. As far as I can tell, the existence of the issues is deduced from firebird 2.0 release notes, which are not very clear about what exactly the problem is and how to reproduce it. Your comments are much appreciated. Please carbon-copy [EMAIL PROTECTED] in your replies. -- dam JabberID: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
