Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0319 -- [Win][UNIX/Linux][Debian]
New Firebird packages fix several vulnerabilities
28 March 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: firebird2
Publisher: Debian
Operating System: Debian GNU/Linux
UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0467 CVE-2008-0387 CVE-2007-4669
CVE-2007-4668 CVE-2007-4667 CVE-2007-4666
CVE-2007-4665 CVE-2007-4664 CVE-2007-3527
CVE-2007-3181 CVE-2007-2606 CVE-2006-7214
CVE-2006-7213 CVE-2006-7212 CVE-2006-7211
Ref: ESB-2008.0099
Original Bulletin: http://www.debian.org/security/2008/dsa-1529
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running firebird check for an updated version of the software for
their operating system at:
http://www.firebirdsql.org
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1529-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : firebird2
Vulnerability : several
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2008-0387 CVE-2008-0467 CVE-2006-7211 CVE-2007-4664
CVE-2007-4665 CVE-2007-4666 CVE-2007-4667 CVE-2007-4668
CVE-2007-4669 CVE-2007-3527 CVE-2007-3181 CVE-2007-2606
CVE-2006-7212 CVE-2006-7213 CVE-2006-7214
Debian Bug(s) : 362001 432753 444976 441405 460048 463596
Multiple security problems have been discovered in the Firebird database,
which may lead to the execution of arbitrary code or denial of service.
This Debian security advisory is a bit unusual. While it's normally
our strict policy to backport security bugfixes to older releases, this
turned out to be infeasible for Firebird 1.5 due to large infrastructural
changes necessary to fix these issues. As a consequence security support
for Firebird 1.5 is hereby discontinued, leaving two options to
administrators running a Firebird database:
I. Administrators running Firebird in a completely internal setup with
trusted users could leave it unchanged.
II. Everyone else should upgrade to the firebird2.0 packages available at
http://www.backports.org/backports.org/pool/main/f/firebird2.0/
Version 2.0.3.12981.ds1-6~bpo40+1 fixes all known issues.
Please refer to the general backports.org documentation to add the
packages to your package management configuration:
http://www.backports.org/dokuwiki/doku.php?id=instructions
These packages are backported to run with Debian stable. Since
firebird2.0 is not a drop-in replacement for firebird2 (which
is the source package name for the Firebird 1.5 packages)
these updates are not released through security.debian.org.
Potential future security problems affecting Debian stable will be
released through backports.org as well.
Arrangements have been made to ensure that Firebird in the upcoming
Debian 5.0 release will be supportable with regular backported
security bugfixes again.
For a more detailed descriptions of the security problems, please refer
to the entries in the Debian Bug Tracking System referenced above and
the following URLs:
http://www.firebirdsql.org/rlsnotes/Firebird-2.0-ReleaseNotes.pdf
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.1-ReleaseNotes.pdf
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.2-ReleaseNotes.pdf
- - ---------------------------------------------------------------------------------
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH6subXm3vHE4uyloRAnHaAJ46J9dUTRLJA/nNr/r5fqvezenMAgCePrM/
JO6vfhxwzbrL8i4F6we+lZc=
=zyjo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR+wowCh9+71yA2DNAQIFGgP/Yzmgykf2L7fU5JuCy4NL56RK1QIXZYdK
qq7ONgKy1BP2pF7HsPXB/LOP5fB4+R032LJMX9Mh0xYpAlUH1eVZEF1jJ8EqjUI1
7x5BAWR6njacrdSXNXho5Uws9Skhcd1wQrLaDYLsyCC057YOi8Ty9qO+pKGv7HLP
+vcB/iCuuzg=
=Jbhw
-----END PGP SIGNATURE-----