Security Information / 2008 / Security Information -- DSA-1529-1 firebird

Debian Security Advisory

DSA-1529-1 firebird -- multiple vulnerabilities

Date Reported:

24 Mar 2008

Affected Packages:

firebird

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 362001, Bug 432753, Bug 444976, Bug 441405, Bug 460048, Bug 463596.
In Mitre's CVE dictionary: CVE-2008-0387, CVE-2008-0467, CVE-2006-7211, CVE-2007-4664, CVE-2007-4665, CVE-2007-4666, CVE-2007-4667, CVE-2007-4668, CVE-2007-4669, CVE-2007-3527, CVE-2007-3181, CVE-2007-2606, CVE-2006-7212, CVE-2006-7213, CVE-2006-7214.

More information:

Multiple security problems have been discovered in the Firebird database, which may lead to the execution of arbitrary code or denial of service.

This Debian security advisory is a bit unusual. While it's normally our strict policy to backport security bugfixes to older releases, this turned out to be infeasible for Firebird 1.5 due to large infrastructural changes necessary to fix these issues. As a consequence security support for Firebird 1.5 is hereby discontinued, leaving two options to administrators running a Firebird database:

1. Administrators running Firebird in a completely internal setup with trusted users could leave it unchanged.
2. Everyone else should upgrade to the firebird2.0 packages available at backports.org.
   
   Version 2.0.3.12981.ds1-6~bpo40+1 fixes all known issues.
   
   Please refer to the general backports.org documentation to add the packages to your package management configuration.
   
   These packages are backported to run with Debian stable. Since firebird2.0 is not a drop-in replacement for firebird2 (which is the source package name for the Firebird 1.5 packages) these updates are not released through security.debian.org. Corrections for potential future security problems affecting Debian stable will be released through backports.org as well.
   
   Arrangements have been made to ensure that Firebird in the upcoming Debian 5.0 release will be supportable with regular backported security bugfixes again.

For a more detailed description of the security problems, please refer to the entries in the Debian Bug Tracking System referenced above and the following URLs:

http://www.firebirdsql.org/rlsnotes/Firebird-2.0-ReleaseNotes.pdf
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.1-ReleaseNotes.pdf
http://www.firebirdsql.org/rlsnotes/Firebird-2.0.2-ReleaseNotes.pdf