[Pkg-firebird-general] Fw: [Firebird-devel] Patch for
vulnerability firebird 1.0.3 ?
Remco Seesink
raseesink@hotpop.com
Wed, 16 Jun 2004 15:58:22 +0200
Hmmm,
We do care about security and I have a feeling it is not reasonable
to expect the debian security team to do this and I don't think I
can do it either.
This could mean that firebird 1.0.x would be removed because of unsolved
security bugs and we might not have firebird 1.5.x ready in time ending
up with no firebird at all in sarge. Aargh!
There is a a firebird 1.0.3 package ready to replace the current 1.0.2,
but that doesn't get us out of this situation:
http://mentors.debian.net/debian/pool/main/f/
If we were to abandon firebird 1.0.x would it better to name the new packages
firebird instead of firebird2 and give some warning on upgrade about making
backups first?
Cheers,
Remco.
On Wed, 16 Jun 2004 23:36:19 +1000
Mark O'Donohue <mark.odonohue@firebirdsql.org> wrote:
>
> And I would second Dmitry's comments.
>
> I should get a chance this week end to install sarge and then try
> Remco's install packages. Im aware of most of the tricks done in the
> linux (redhat/mandake) installs so hopefully once I know a bit more
> about debian packaging I can then be useful.
>
>
> Cheers
>
> Mark
>
>
> Daniel Urban wrote:
> > ----- Original Message -----
> > From: "Alex Peshkov" <pes@insi.yaroslavl.ru>
> > To: <firebird-devel@lists.sourceforge.net>
> > Cc: <251458@bugs.debian.org>
> > Sent: Wednesday, June 16, 2004 1:57 PM
> > Subject: Re: [Firebird-devel] Patch for vulnerability firebird 1.0.3 ?
> >
> >
> >
> >>Remco Seesink wrote:
> >>
> >>
> >>>Hello,
> >>>
> >>>I am trying to fix a security bug on firebird 1.0.2 and 1.0.3 on debian.
> >
> > The details of the bug can be found here:
> >
> >>>http://bugs.debian.org/251458
> >>>
> >>>I was wondering if somebody already made a patch for this bug. The
> >
> > current plan is to support both firebird 1.0.3 and 1.5.0 in debian. This is
> > why upgrading to 1.5.0 wouldn't help.
> >
> >>>If there is no patch, any pointers to what source files are likely
> >
> > involved?
> >
> >>>
> >>Unfortunately, very many.
> >>It was rather big code review during which we tried to fix a great(!)
> >>lot of buffer overflows in firebird sources.
> >>Particular this bug may be fixed relatively easy, but on my mind it has
> >>no sence - there is a great lot of other overflows and some other
> >>security holes (including execution of arbitrary code with root rights)
> >>that were fixed in fb1.5.
> >>It seems unreal to me to backport them all to 1.0, therefore if one
> >>cares about security - use 1.5.
> >>
> >>
> >>>Cheers,
> >>>Remco Seesink.
> >>>
> >>>
> >>>
> >>>
> >>
> >>Alex.
> >>
> >>
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> >>Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> >>Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> >>REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> >>Firebird-Devel mailing list, web interface at
> >
> > https://lists.sourceforge.net/lists/listinfo/firebird-devel
> >
> >
> >
> > _______________________________________________
> > Pkg-firebird-general mailing list
> > Pkg-firebird-general@lists.alioth.debian.org
> > http://lists.alioth.debian.org/mailman/listinfo/pkg-firebird-general
> >
> >
>
>
> _______________________________________________
> Pkg-firebird-general mailing list
> Pkg-firebird-general@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-firebird-general