Your message dated Fri, 16 May 2008 19:17:05 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#481389: fixed in firebird2.0 2.0.3.12981.ds1-14 has caused the Debian Bug report #481389, regarding Debian package allows passwordless SYSDBA remote connections to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 481389: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481389 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: firebird2.0-super Version: 2.0.3.12981.ds1-13 Severity: grave Tags: security The only reason for this to not be of critical severity is that database services are typically firewalled. This is CVE-2008-1880[1] [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880 The init.d script used by Debian packages exports ISC_PASSWORD into the environment before starting fbguard. fbguard itself spawns fbserver process without cleaning environment. fbserver uses ISC_PASSWORD from the environment when remote connection does not supply a password. This makes it possible to connect remotely as SYSDBA user without giving a password. That last part is already fixed in upstream CVS HEAD, but backporting the change is reported to be non-trivial. So the way to close the hole is to stop exporting ISC_PASSWORD in the init.d script. That variable is used only for stopping the server and there is another way to achieve this -- via start-stop-daemon and a PID file. I am working on the implementation. -- dam
--- End Message ---
--- Begin Message ---Source: firebird2.0 Source-Version: 2.0.3.12981.ds1-14 We believe that the bug you reported is fixed in the latest version of firebird2.0, which is due to be installed in the Debian FTP archive: firebird2.0-classic_2.0.3.12981.ds1-14_i386.deb to pool/main/f/firebird2.0/firebird2.0-classic_2.0.3.12981.ds1-14_i386.deb firebird2.0-common_2.0.3.12981.ds1-14_i386.deb to pool/main/f/firebird2.0/firebird2.0-common_2.0.3.12981.ds1-14_i386.deb firebird2.0-dev_2.0.3.12981.ds1-14_all.deb to pool/main/f/firebird2.0/firebird2.0-dev_2.0.3.12981.ds1-14_all.deb firebird2.0-doc_2.0.3.12981.ds1-14_all.deb to pool/main/f/firebird2.0/firebird2.0-doc_2.0.3.12981.ds1-14_all.deb firebird2.0-examples_2.0.3.12981.ds1-14_all.deb to pool/main/f/firebird2.0/firebird2.0-examples_2.0.3.12981.ds1-14_all.deb firebird2.0-server-common_2.0.3.12981.ds1-14_i386.deb to pool/main/f/firebird2.0/firebird2.0-server-common_2.0.3.12981.ds1-14_i386.deb firebird2.0-super_2.0.3.12981.ds1-14_i386.deb to pool/main/f/firebird2.0/firebird2.0-super_2.0.3.12981.ds1-14_i386.deb firebird2.0_2.0.3.12981.ds1-14.diff.gz to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1-14.diff.gz firebird2.0_2.0.3.12981.ds1-14.dsc to pool/main/f/firebird2.0/firebird2.0_2.0.3.12981.ds1-14.dsc libfbclient2_2.0.3.12981.ds1-14_i386.deb to pool/main/f/firebird2.0/libfbclient2_2.0.3.12981.ds1-14_i386.deb libfbembed2_2.0.3.12981.ds1-14_i386.deb to pool/main/f/firebird2.0/libfbembed2_2.0.3.12981.ds1-14_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Damyan Ivanov <[EMAIL PROTECTED]> (supplier of updated firebird2.0 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 15 May 2008 22:15:24 +0300 Source: firebird2.0 Binary: firebird2.0-super firebird2.0-classic libfbclient2 libfbembed2 firebird2.0-common firebird2.0-server-common firebird2.0-dev firebird2.0-examples firebird2.0-doc Architecture: source all i386 Version: 2.0.3.12981.ds1-14 Distribution: unstable Urgency: high Maintainer: Debian Firebird Group <[EMAIL PROTECTED]> Changed-By: Damyan Ivanov <[EMAIL PROTECTED]> Description: firebird2.0-classic - Firebird Classic Server - an RDBMS based on InterBase 6.0 code firebird2.0-common - common files for firebird 2.0 servers and clients firebird2.0-dev - Development files for Firebird - an RDBMS based on InterBase 6.0 firebird2.0-doc - Documentation files for firebird database version 2.0 firebird2.0-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 code firebird2.0-server-common - common files for firebird 2.0 servers firebird2.0-super - Firebird Super Server - an RDBMS based on InterBase 6.0 code libfbclient2 - Firebird client library libfbembed2 - Firebird embedded client/server library Closes: 406691 481208 481389 Changes: firebird2.0 (2.0.3.12981.ds1-14) unstable; urgency=high . * firebird2.0-super.init: stop exporting ISC_USER and ISC_PASSWORD. Fixes a hole causing remote connections as user SYSDBA to succeed without giving a password. Closes: #481389 and CVE-2008-1880 * remove linda overrides * coincidentaly also closes: #406691, an ex-wontfix bug -- "fails to upgrade when misconfigured", caused by the initscript relying on correct SYSDBA password in /etc -- something that is no longer needed for shutdown. * port-{mips,arm}.patch: unify the {EMBED,CLIENT}_TARGETS with the rest of the tree. Closes: #481208 -- FTBFS on mips. Thanks to Thiemo Seufer. Added gds_relay to mips targets in addition to his patch. Checksums-Sha1: 2818600d9b18f2d38d1c0f8bfe03426ccc76ffa0 1645 firebird2.0_2.0.3.12981.ds1-14.dsc 574d11d916c7fa2dbd71b2be5187d83af770a34b 420229 firebird2.0_2.0.3.12981.ds1-14.diff.gz 35e730a95ce774b3fdbe8efeda584a39dadf1c3d 436692 firebird2.0-dev_2.0.3.12981.ds1-14_all.deb 40a1de5296d18f6b5b9c044873816b3ce5aa47e4 536192 firebird2.0-examples_2.0.3.12981.ds1-14_all.deb 24d9208c01488952728825d15be636a3f97f9992 1242496 firebird2.0-doc_2.0.3.12981.ds1-14_all.deb a6024f59a6945c0eee915f4bc7d16549d8dc2b9d 2822594 firebird2.0-super_2.0.3.12981.ds1-14_i386.deb 56756402d51eabac0f0dd35c9ef86985152dd836 1682590 firebird2.0-classic_2.0.3.12981.ds1-14_i386.deb b97a1819fdd977081cc96d56aa03ca86b7f506a8 612032 libfbclient2_2.0.3.12981.ds1-14_i386.deb eaf6facff401ff97ae5fd6c6fd02902fbc28b456 1472612 libfbembed2_2.0.3.12981.ds1-14_i386.deb ce1fcb6b37d851871694757628f5526cb14645fd 772842 firebird2.0-common_2.0.3.12981.ds1-14_i386.deb 467652617bcd5a0f08a217af8f7c6570a7d42684 504818 firebird2.0-server-common_2.0.3.12981.ds1-14_i386.deb Checksums-Sha256: f92287993187fe9a1aba446a8fa0c10c1535784d646f33dd23e22228835dc4ce 1645 firebird2.0_2.0.3.12981.ds1-14.dsc 500933c3357f356d9164a7c3374c133a491b223d1b11ccf00764a8e641cb30ce 420229 firebird2.0_2.0.3.12981.ds1-14.diff.gz ec4cc890a67f010fd3d839b1d5c25aa27b785eaee068556cfa8a2749a39a9398 436692 firebird2.0-dev_2.0.3.12981.ds1-14_all.deb 129216d251401c6ef4039d9fd79cb86359800d17b95cad70b250a20e97b74874 536192 firebird2.0-examples_2.0.3.12981.ds1-14_all.deb 281d4ee2a37610460df32616b29a4f3ce37bc115428a0e46ec1b2a91b234451d 1242496 firebird2.0-doc_2.0.3.12981.ds1-14_all.deb 7b53d0fd55759c90aa0308619630c7e1b4f3b9da33ee6bbb54f8fafdc19aa2e1 2822594 firebird2.0-super_2.0.3.12981.ds1-14_i386.deb 05d2d0e67e1298221cf57e314b5296230115abf8306c10d1c64913211907cd93 1682590 firebird2.0-classic_2.0.3.12981.ds1-14_i386.deb 54e9abe381f9c28b00b33b363c047595d1bc74538446fd36fbbc6518b57ff65f 612032 libfbclient2_2.0.3.12981.ds1-14_i386.deb df0cefe5551e7abecd31ce0709824a81aeae7488dd10fa4742fd3771666089df 1472612 libfbembed2_2.0.3.12981.ds1-14_i386.deb c9dad9fafe4fbd67110ef486d82e28eb9934d7f06b4a65e32563aadf7fe551e2 772842 firebird2.0-common_2.0.3.12981.ds1-14_i386.deb 8812f584573ab7fdd7d17415671e8f0bd04e76b3f6fa89f99b92b9dbdf7af0ed 504818 firebird2.0-server-common_2.0.3.12981.ds1-14_i386.deb Files: 125e53b9fc6c03a3d11837671033e526 1645 misc optional firebird2.0_2.0.3.12981.ds1-14.dsc 3c0727c5f500a2d375ecf5511cd572ca 420229 misc optional firebird2.0_2.0.3.12981.ds1-14.diff.gz 3e56ea3b037b0908c1344fee37dfaee8 436692 libdevel optional firebird2.0-dev_2.0.3.12981.ds1-14_all.deb 43907c0b2a50b46499ce56205706bd26 536192 doc optional firebird2.0-examples_2.0.3.12981.ds1-14_all.deb 940ebab00344af4e9113bda3ec92e55a 1242496 doc optional firebird2.0-doc_2.0.3.12981.ds1-14_all.deb 02c78fd99c1637113a9ec8c75a788e0d 2822594 misc optional firebird2.0-super_2.0.3.12981.ds1-14_i386.deb 00d3edcf39cf84fcaad8dc1a332797be 1682590 misc optional firebird2.0-classic_2.0.3.12981.ds1-14_i386.deb e53d565efd110ba9d696e0cc47b48558 612032 libs optional libfbclient2_2.0.3.12981.ds1-14_i386.deb cbf8463039211f790753c9367990caad 1472612 libs optional libfbembed2_2.0.3.12981.ds1-14_i386.deb 8c3b54874cacae700ae19ff3dbc84994 772842 misc optional firebird2.0-common_2.0.3.12981.ds1-14_i386.deb 98a001f806d11b70609c358a6c9cf52a 504818 misc optional firebird2.0-server-common_2.0.3.12981.ds1-14_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFILdpAHqjlqpcl9jsRAifiAJ47cCk3aNAIgr1Li03uI6ty2Y2JCgCeMhyw BLyU1V3agTVrvnILTyzNbOc= =ARw6 -----END PGP SIGNATURE-----
--- End Message ---
