[Pkg-firebird-general] Bug#251458: firebird: remote vulnerability

Remco Seesink Remco Seesink <raseesink@hotpop.com>, 251458@bugs.debian.org
Tue, 27 Jul 2004 21:05:28 +0200


On Tue, 27 Jul 2004 02:34:32 -0700
Steve Langasek <vorlon@debian.org> wrote:
> The firebird package in Debian has a long-standing remote security
> hole. We should not release such a package in sarge.
> 
> Removing this package from sarge will also mean removing the
> php4-interbase, python-kinterbasdb, and zope-kinterbasdbda packages;
> therefore, as maintainers of these packages, I am cc:ing you to see if
> any of you are willing to do the necessary work to get the firebird
> package ready for release.
> 
> I understand that the bugs are supposed to be fixed in firebird 1.5,
> which is not yet packaged.  If this is too much work to get done
> before sarge, perhaps it makes sense to upload a firebird 1.0 package
> providing only the client libraries?

Hello,

Firebird 1.5.0 is currently waiting for the ftp-masters to be accepted to
get included in unstable. It already received testing and it could provide
the libfirebird dependency which would satisfy existing packages. I believe
the current uploaded version does not do that yet, but could be fixed easy.
A 1.5.1 version is also ready for upload. Daniel Urban <daniel@sente.pl> has
done the most work and people from the mailinglist
pkg-firebird-general@lists.alioth.debian.org

The 1.5 version is packaged as firebird2 and could live in the same
repository.

There is a need for firebird 1.0.3 besides the 1.5 version, but the 1.5
version includes extensive code reviews which fix many security related
bugs, not just #251458. 

There is also a package (ibwebadmin) waiting for my sponsor to upload it
which depends on php-interbase, until that happens it is not a problem for
the release :/

Cheers,
Remco.