[pkg-firebird-general] Bug#432753: [Firebird-devel] Old 1.5 security issues question
Alex Peshkov
peshkoff at mail.ru
Wed Aug 15 06:32:22 UTC 2007
On Wednesday 15 August 2007 00:33, Damyan Ivanov wrote:
> Dear Firebird developers,
>
> I've got a bug report for the debian packages for firebrid 1.5 that I
> can't handle myself. I would be grateful for some insights.
>
//....
> The other two, however are rather unclear as of how to reproduce or
> whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments:
In brief - firebird 1.5 is not supported any more. It was decided not to have
any more point releases of it.
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
> CVE-2006-7214
> Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
> attackers to (1) cause a denial of service (application crash) by
> sending many remote protocol versions; and (2) cause a denial of
> service (connection drop) via certain network traffic, as
> demonstrated by Nessus vulnerability scanning.
This one in theory can be fixed - backporting from HEAD is possible.
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
> CVE-2006-7212
> Multiple buffer overflows in Firebird 1.5, one of which affects
> WNET, have unknown impact and attack vectors. NOTE: this issue might
> overlap CVE-2006-1240.
They are so multiple that it's close to impossible to backport them. Moreover,
fixes for some of them are based on new collection of classes, introduced in
2.0. I.e. firebird after fixing all BOFs will not be 1.5 any more :)
> As far as I can tell, the existence of the issues is deduced from
> firebird 2.0 release notes, which are not very clear about what exactly
> the problem is and how to reproduce it.
>
> Your comments are much appreciated. Please carbon-copy
> 432753 at bugs.debian.org in your replies.
Alex.
More information about the pkg-firebird-general
mailing list