[Pkg-firebird-general] Bug#251458: firebird: remote vulnerability

Steve Langasek Steve Langasek <vorlon@debian.org>, 251458@bugs.debian.org
Tue, 27 Jul 2004 21:33:13 -0700 

--xJK8B5Wah2CMJs8h
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 27, 2004 at 09:05:28PM +0200, Remco Seesink wrote:
> On Tue, 27 Jul 2004 02:34:32 -0700
> Steve Langasek <vorlon@debian.org> wrote:
> > The firebird package in Debian has a long-standing remote security
> > hole. We should not release such a package in sarge.

> > Removing this package from sarge will also mean removing the
> > php4-interbase, python-kinterbasdb, and zope-kinterbasdbda packages;
> > therefore, as maintainers of these packages, I am cc:ing you to see if
> > any of you are willing to do the necessary work to get the firebird
> > package ready for release.

> > I understand that the bugs are supposed to be fixed in firebird 1.5,
> > which is not yet packaged.  If this is too much work to get done
> > before sarge, perhaps it makes sense to upload a firebird 1.0 package
> > providing only the client libraries?

> Firebird 1.5.0 is currently waiting for the ftp-masters to be accepted to
> get included in unstable. It already received testing and it could provide
> the libfirebird dependency which would satisfy existing packages. I belie=
ve
> the current uploaded version does not do that yet, but could be fixed eas=
y.
> A 1.5.1 version is also ready for upload. Daniel Urban <daniel@sente.pl> =
has
> done the most work and people from the mailinglist
> pkg-firebird-general@lists.alioth.debian.org

> The 1.5 version is packaged as firebird2 and could live in the same
> repository.

> There is a need for firebird 1.0.3 besides the 1.5 version, but the 1.5
> version includes extensive code reviews which fix many security related
> bugs, not just #251458.=20

As you have probably seen, firebird 1.5 has cleared the NEW queue now.

Can you elaborate on what the needs are for a firebird 1.0.3?  If the
libraries can be provided by the firebird2 package, and the firebird 1.0
server has too many security holes to be included in a stable release,
what's left in the 1.0 package that warrants keeping it around?  When I
asked James to look at this one, he did have misgivings about the
package rename, since there's no evident reason to keep two source
packages around; so I'd like to know there's a good answer for this.

In any case, at this point the quickest way to get these packages into
a releasable state, now that firebird2 is available, is to remove the
binary package from firebird (1.0) that contains the security problems,
so that this bug can be closed.  Once that's done, you can sort out
which package you want to provide the libraries in the long term; but
trying to make such changes now is likely to prejudice the chances of
any of these client packages making it into sarge.

Thanks,
--=20
Steve Langasek
postmodern programmer

--xJK8B5Wah2CMJs8h
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBByyHKN6ufymYLloRAtPsAKCz9NsZKuN+njA9r/0BjwygjXC3OQCfT90z
qS0sWdNEoTwSRF0ylhSd8Xk=
=p+bG
-----END PGP SIGNATURE-----

--xJK8B5Wah2CMJs8h--