Hi Damyan, * Damyan Ivanov <[EMAIL PROTECTED]> [2008-05-15 20:32]: > Package: firebird2.0-super > Version: 2.0.3.12981.ds1-13 > Severity: grave > Tags: security > > The only reason for this to not be of critical severity is that database > services are typically firewalled. > > This is CVE-2008-1880[1] > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880 > > The init.d script used by Debian packages exports ISC_PASSWORD into the > environment before starting fbguard. fbguard itself spawns fbserver > process without cleaning environment. > > fbserver uses ISC_PASSWORD from the environment when remote connection > does not supply a password. This makes it possible to connect remotely > as SYSDBA user without giving a password. > > That last part is already fixed in upstream CVS HEAD, but backporting > the change is reported to be non-trivial. [...] As far as I can see that firebird is disabled after the installation and needs to be dpkg-reconfigure'ed which will ask for a password or set a random one. Do I miss anything?
Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp2BOcAPsCwh.pgp
Description: PGP signature
