Your message dated Mon, 10 Sep 2007 13:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#441405: fixed in firebird2.0 2.0.3.12981.ds1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: firebird2.0
Severity: grave
Tags: security
Hi,
Several new vulnerabilities have been discovered and fixed in Firebird. The
following are reported:
CVE-2007-3527: Integer overflow in Firebird 2.0.0 allows remote authenticated
users to cause a denial of service (CPU consumption) via certain database
operations with multi-byte character sets that trigger an attempt to use the
value 65536 for a 16-bit integer, which is treated as 0 and causes an
infinite loop on zero-length data.
CVE-2007-4664: Unspecified vulnerability in the (1) attach database and (2)
create database functionality in Firebird before 2.0.2, when a filename
exceeds MAX_PATH_LEN, has unknown impact and attack vectors, aka CORE-1405.
CVE-2007-4665: Unspecified vulnerability in the server in Firebird before
2.0.2 allows remote attackers to cause a denial of service (daemon crash) via
an XNET session that makes multiple simultaneous requests to register events,
aka CORE-1403.
CVE-2007-4666: Unspecified vulnerability in the server in Firebird before
2.0.2, when a Superserver/TCP/IP environment is configured, allows remote
attackers to cause a denial of service (CPU and memory consumption)
via "large network packets with garbage", aka CORE-1397.
CVE-2007-4667: Unspecified vulnerability in the Services API in Firebird
before 2.0.2 allows remote attackers to cause a denial of service, aka
CORE-1149.
CVE-2007-4668: Unspecified vulnerability in the server in Firebird before
2.0.2 allows remote attackers to determine the existence of arbitrary files,
and possibly obtain other "file access," via unknown vectors, aka CORE-1312.
CVE-2007-4669: The Services API in Firebird before 2.0.2 allows remote
authenticated users without SYSDBA privileges to read the server log
(firebird.log), aka CORE-1148.
Please see:
http://security-tracker.debian.net/tracker/source-package/firebird2.0
http://security-tracker.debian.net/tracker/source-package/firebird2
http://security-tracker.debian.net/tracker/source-package/firebird1.5
and the links from there, for detailed information on these issues.
As I see it, these are all or mostly all fixed upstream. For unstable, you
could therefore probably suffice with uploading this new upstream release.
Please mention any CVE id's when fixing these issues.
For sarge and etch, it needs to be verified which ones apply and how they can
be fixed.
thanks
Thijs
pgpDq1Yx0HMQY.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: firebird2.0
Source-Version: 2.0.3.12981.ds1-1
We believe that the bug you reported is fixed in the latest version of
firebird2.0, which is due to be installed in the Debian FTP archive:
firebird-utils_2.0.3.12981.ds1-1_all.deb
to pool/main/f/firebird2.0/firebird-utils_2.0.3.12981.ds1-1_all.deb
firebird2.0-classic_2.0.3.12981.ds1-1_i386.deb
to pool/main/f/firebird2.0/firebird2.0-classic_2.0.3.12981.ds1-1_i386.deb
firebird2.0-common_2.0.3.12981.ds1-1_i386.deb
to pool/main/f/firebird2.0/firebird2.0-common_2.0.3.12981.ds1-1_i386.deb
firebird2.0-dev_2.0.3.12981.ds1-1_all.deb
to pool/main/f/firebird2.0/firebird2.0-dev_2.0.3.12981.ds1-1_all.deb
firebird2.0-doc_2.0.3.12981.ds1-1_all.deb
to pool/main/f/firebird2.0/firebird2.0-doc_2.0.3.12981.ds1-1_all.deb
firebird2.0-examples_2.0.3.12981.ds1-1_all.deb
to pool/main/f/firebird2.0/firebird2.0-examples_2.0.3.12981.ds1-1_all.deb
firebird2.0-super_2.0.3.12981.ds1-1_i386.deb
to pool/main/f/firebird2.0/firebird2.0-super_2.0.3.12981.ds1-1_i386.deb
firebird2.0_2.0.3.12981.ds1-1.diff.gz
to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1-1.diff.gz
firebird2.0_2.0.3.12981.ds1-1.dsc
to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1-1.dsc
firebird2.0_2.0.3.12981.ds1.orig.tar.gz
to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1.orig.tar.gz
libfbclient2_2.0.3.12981.ds1-1_i386.deb
to pool/main/f/firebird2.0/libfbclient2_2.0.3.12981.ds1-1_i386.deb
libfbembed2_2.0.3.12981.ds1-1_i386.deb
to pool/main/f/firebird2.0/libfbembed2_2.0.3.12981.ds1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <[EMAIL PROTECTED]> (supplier of updated firebird2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 10 Sep 2007 15:27:59 +0300
Source: firebird2.0
Binary: firebird-utils libfbembed2 firebird2.0-dev firebird2.0-doc libfbclient2
firebird2.0-classic firebird2.0-common firebird2.0-super firebird2.0-examples
Architecture: source all i386
Version: 2.0.3.12981.ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Firebird Group <[EMAIL PROTECTED]>
Changed-By: Damyan Ivanov <[EMAIL PROTECTED]>
Description:
firebird-utils - manager for multiple Firebird utilities versions
firebird2.0-classic - Firebird Classic Server - an RDBMS based on InterBase
6.0 code
firebird2.0-common - common files for firebird 2.0 servers and clients
firebird2.0-dev - Development files for Firebird - an RDBMS based on InterBase
6.0
firebird2.0-doc - Documentation files for firebird database version 2.0
firebird2.0-examples - Examples for Firebird - an RDBMS based on InterBase 6.0
code
firebird2.0-super - Firebird Super Server - an RDBMS based on InterBase 6.0
code
libfbclient2 - Firebird client library
libfbembed2 - Firebird embedded client/server library
Closes: 441405
Changes:
firebird2.0 (2.0.3.12981.ds1-1) unstable; urgency=medium
.
* New upstream relese-candidate
* Contains fixes for the following security issues: CVE-2007-3527,
CVE-2007-4664, CVE-2007-4665, CVE-2007-4666, CVE-2007-4667, CVE-2007-4668,
CVE-2007-4669.
(Closes: #441405) -- Several Firebird vulnerabilities discovered
* Refreshed patches
cvs-client-crash-on-remote-shutdown.patch
no-rpath.patch
link-as-needed
fix-os-detection.patch
inet-trust-localhost.patch
create-run-dir.patch
use-debian-icu.patch
use-debian-editline.patch
cvs-powerpc-double-define.patch
* Dropped patches not needed any more
+ link-with-g++.patch -- upstream reorg
+ cvs-common_classes_alloc.cpp-unaligned.patch -- included in the
release
+ cvs-jrd.cpp-crash-on-srervices-and-conventional-api-usage.patch --
included in the release
+ cvs-sparc-jrd_sort.patch -- included in the release
+ cvs-remote-alignment.patch -- included in the release
* autoboot.patch -- re-generated
* Updated debian/get-orig-source.sh
+ use pre-release upstream download area
* Applied patch to Hungarian translation from Tamas TEVESZ
* debian/make_packages.sh - deduce upstream version from debian/changelog to
avoid the need of manually changing a variable after each new upstream
release
* Updated debian/watch with new pre-release URLs; more version mangling
* Dropped unused lintian overrides
* Drop libgds.so compatibility symlink (upstream dropped it after 1.5)
Files:
6cca5eaf187129748a85b3b3c2b364a1 1036 misc optional
firebird2.0_2.0.3.12981.ds1-1.dsc
635360c67963099772207cf54ad096fc 7019232 misc optional
firebird2.0_2.0.3.12981.ds1.orig.tar.gz
6bf4e873afe7f770fef19cd7d60ab9a5 399413 misc optional
firebird2.0_2.0.3.12981.ds1-1.diff.gz
fd2353804894f32b959cba14c16b7f95 392554 utils optional
firebird-utils_2.0.3.12981.ds1-1_all.deb
8774e99eaa7c10740b609f6706fb8926 435980 libdevel optional
firebird2.0-dev_2.0.3.12981.ds1-1_all.deb
ad83bd40dc66a2561dd5877ee633c2f7 534108 doc optional
firebird2.0-examples_2.0.3.12981.ds1-1_all.deb
59917e85e585f247ed428dc77e568480 1237372 doc optional
firebird2.0-doc_2.0.3.12981.ds1-1_all.deb
f8aa465536f4230880acdf71930f8fe9 2814378 misc optional
firebird2.0-super_2.0.3.12981.ds1-1_i386.deb
84f5e3612ff9051777aa751f35eb8c94 1677816 misc extra
firebird2.0-classic_2.0.3.12981.ds1-1_i386.deb
03fc61c633cbd30cbde38dc57fda17e9 610036 libs optional
libfbclient2_2.0.3.12981.ds1-1_i386.deb
3938780032b0ac2bbc21840695be86b3 1470078 libs optional
libfbembed2_2.0.3.12981.ds1-1_i386.deb
a07d7add6a5dad70241aea0396962e11 893624 misc optional
firebird2.0-common_2.0.3.12981.ds1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG5UIYHqjlqpcl9jsRAoX/AJ9LwNJX3VKgcJ3KYPzaD7o1Z/ZV1ACfdZA0
qZnpWT26j0B6Ctdcg6jdJhE=
=Vulu
-----END PGP SIGNATURE-----
--- End Message ---
