ESB-2018.1463 - [Win][UNIX/Linux][Debian] firebird: Execute arbitrary code/commands - Existing account 2018-05-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1463
                    RCE patched in Firebird on Debian 7
                                14 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           firebird
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-11509  

Reference:         ESB-2017.0832

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/05/msg00005.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running firebird check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : firebird2.5
Version        : 2.5.2.26540.ds4-1~deb7u4
CVE ID         : CVE-2017-11509

An authenticated remote attacker can execute arbitrary code in Firebird SQL
Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement. The
only known solution is to disable external UDF libraries from being loaded.  In
order to achieve this, the default configuration has changed to UdfAccess=None.
This will prevent the fbudf module from being loaded, but may also break other
functionality relying on modules.

For Debian 7 "Wheezy", these problems have been fixed in version
2.5.2.26540.ds4-1~deb7u4.

We recommend that you upgrade your firebird2.5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlr1Nt4ACgkQKpJZkldk
SvqUUg//UP3kGRaaliynXbGcfcCuWwsF+uXMZInCwJb4X29mBGP8iN3chnJHIYn2
Ky9tvjNYAdIhgvolfg5m0M8H/1k4lkwr09DUQrkVMP+qJvShn7Q0soaCEslt8taU
kgE1dqcE2qqT/3mmHSsFidgOYRjd/8EOdKyZ/8wavxpS0s4fsHhtDn8Xrkx9u4hp
pDCJ2XOmx6FAKJ+1i+t9OYC3drOnQTHIpYdA3qi5kiD40/Q3SNOS251vBV3ggEWE
18IJJiJo11+KYzAAO/QMOWINIdR0ej3wxofibCzcEqXoBGkxMnWh/n7jRy4aUa8f
BPx9bc0YfB44Gdj70DjxKKQmdxBMS+tqG3dsSPUEOgQtTEVxAwpFHJ8E7ckCaJt5
w1OAw1atF7GyAKO/5CRwyGMnwehL10FoaNwBHWTZf/vk5akBH89/3URUzIZmBlAD
5yLUsFrKG2FKF8KGxbjOoCVMGpVzJsoAKvjam/tuA3iGu+2drtGMdvOs2ehS1Vkz
wReWuaglXL6oAopIgGxI+XvGdUZm0A+azt7WwsRLvY3qaD94vQOtJswXYQf6eOak
xMR1S9SWzAjXIaefndT8pMZy8fF9ZODcuT84pjWEevyrSyv1K+gfwfIZp4pd3geD
443dbbTwlCf0djghKq1oiHIakeAzDh6gqGJjWlFidlsD4KuBTf0=
=pojf
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWvj+PYx+lLeg9Ub1AQh8Xw/+JIYkcfgUpJxjByAd3HCxg5KrxVhyf4a6
2ZYpwciec7zTodei4za2Ug19uH5GdbuRe2700KJNklRHVhiGkS6lBc4n9e2/0ggV
piHSlKdAZIv+tCeFY493BVBqZX4Bl7AHoKvxneQn0QpPNVw1LozfbG2so39RYZ7O
UIjAm4EF9nIS3Wc5lIW8apewx/bjR5yI50+ljkKTytz+rIsVCOOcd0Fb5mBHp6W4
+7XszYPo8WWqLcVJnELAfBeaDKS59nBEeuGmQvnf7gRIVX3McTe5xOtsRIH1RMxY
Y7K19i9KOHlQ6uIfmo39CwK9YkYiP2EPiRR1iAq3+fN6GNENr3yUmTuIbGUmoNvW
M54PeXV5uKM1DQ/NJwkSwNeiLCiybeTihRjwOByXi0o9aAUwabxGfumnng8KT1M/
6Kiawb24x+o3MG6jlSE4fr9N7LrGfbJbe/rWOCBqXKkKLEvBZkPJjB7B49ltW3sK
xCa46Srktadc3PdsLCBYMfbgvEmMeekz1tz1bp62xuDPXvZjYGriMp97lNtTc6tf
ut9+VNAaxAT7u9MxGT1KdUpAtgOKTZzohBrcCbZI7Y9Nel9UiX1AnCKx9+8gxcf6
jn5kc2MKGi+zvkKTfYKQ/gR2i5A5X3m7tLNLky9UCKDhzhX8SIlQjTuFgNWtZ2p/
3l197Z5WbE0=
=UE0+
-----END PGP SIGNATURE-----

« Back to bulletins