Package: firebird3.0-server-core Version: 3.0.1.32609.ds4-13 Severity: grave Tags: patch upstream security Justification: user security hole
Forwarded: http://tracker.firebirdsql.org/browse/CORE-5474 Authenticated Firebird users are allowed to declare UDFs (user-defined functions). The default config allows using all entry points from the standard UDF library, which is dynamically linked with libc, with its symbols re-exported, including system(). Relevant upstream commits for 3.0: - https://github.com/FirebirdSQL/firebird/commit/8b2a9cb44bf6055e15f016d70a6842b8ada60375
