Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3960 firebird3.0 security update 22 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: firebird3.0 Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-11509 Reference: ESB-2020.0754 ESB-2018.1463 Original Bulletin: https://lists.debian.org/debian-lts-announce/2021/11/msg00018.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2824-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Sylvain Beucler November 20, 2021 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : firebird3.0 Version : 3.0.1.32609.ds4-14+deb9u1 CVE ID : CVE-2017-11509 An authenticated remote attacker can execute arbitrary code in Firebird, a relational database based on InterBase 6.0, by executing a malformed SQL statement. The only known solution is to disable external UDF libraries from being loaded. In order to achieve this, the default configuration has changed to UdfAccess=None. This will prevent the fbudf module from being loaded, but may also break other functionality relying on modules. For Debian 9 stretch, this problem has been fixed in version 3.0.1.32609.ds4-14+deb9u1. We recommend that you upgrade your firebird3.0 packages. For the detailed security status of firebird3.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firebird3.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmGY0gkACgkQDTl9HeUl XjAOyw/9HcamAr+80IXL0LHojaZiXh/jlyi6Qhu5I5vx2jaCcTbYm51WQyoLNdQ/ TpGKoWdN8oz3FDz35R/7rKYHYUYwYoDMuLfWE9bHasnmp8e/JyqKVvsn5/TEtF2w NSPxQPg7yJb7L4Dkhr5xKnRngK0bMuq9b1Ty8jlhuj8/F5Xfb1xg2F39WOuY9jcP RTAExS+urSCY+vlhJPho4rLjh0Zu5ehGhL3O3QeBIv3+pIQt+NGmZqccshIda8QY ziQZzWMjyTw4LtpecO6D0sZtE/qLXp/5v2S49/DN4JvIESOccag6LstVv4Mljfu+ xmL0hntZm7mIJWB3reu7df26x/jTwvVsEU3aBoKpkzzaCKuxHSn5WOD8Um+hPH+p 3wMI43IMLRONFYNPrh+c2kv/taoeCWg8XyZrw+oKggdiEmP0NrOa+68LkIcETPnR mJ21anuL8QNUgkkTNPA7j09Sn7FTKEQl+dthJjGRbbAqc3glWu0gfNmVLYb3sPtg 2VzhqtmXlr6eT1MVaDKYbhIw0PKWBI3lSF7aLuLLu/QUd1kfrnjEvyz6vTxcYdri 8wWVqwfn2jCVoUOJZTd9T0H0OwZhtImTWXJqx0VZXpNhtnDHHQOlQ54NaXNTNtdt VCWmjGoO84TslQwwYbyB7Ev1UIo7+tXeOz/NypTloeciO9jFRoE= =Dr/b - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZrnauNLKJtyKPYoAQj4/w/9HATI4l7g3ylYdTfdTH6jtUCdWCmeYU8w Xk2j++L8hcYxz2TbQA33xS8EfVhekIQ2oCdnvX++x2JXXSzZ2PfUKnBkDGa/9PnS B8aAlUWQf/XrxjUUUzVdb3rAcmSzLrY1bu3vOH3r+JE30bBfaHOmcQ83RoM3UJsa c4yjSgun/YwIuEp1FSm5tIvJ4OCUw91khut2LeBUOJWsEpZFGcRn0j9m76oB+lXB cDMZJE7NYZEUmQ6jQbY696l7FyGPHAoemWA4rwwI4GAZhDjhakOZ2BunYZMegky8 kYz4vwB7/ocFLdtJIIaEhtDdB4HIPlCjSUp8NnB558T+nxD/Hd6HcNpBcStDuNzh 09v+oSATA7lE0WZF+aex2VF3g7zDqb6qSI+i42j9f5yoVkDfeZEXqeB4o0Vm0tty 97804OXEIg1IoY1cO8eZigOk6IFU8dzLJGaZEWUM6AF8TYOr3cy8XODQYPzLQHLV QUP6BToCp4UcG1lsukm6++Zmsswoqat8sX1YSH/Z8jOPkcu1JnqYWiJc3Qk4Gk8/ S8x9oJ2J5RTwrdQ0bovFPOTNuydn5bjUUUrpP0hNSVPmC1gONgKDZ9TCuCjSg4Fq SaJH9gZltGVx8GX0q2DjwsdT5XvFjlYj/fQkTRnpKmJ48Qarbe7JMXGFQdimPiow tqOHQAN0pUM= =s8Wd -----END PGP SIGNATURE-----