[pkg-firebird-general] Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5

Moritz Muehlenhoff jmm at inutil.org
Sun Jan 6 16:35:52 UTC 2008


On Thu, Dec 27, 2007 at 08:58:35PM +0100, Moritz Muehlenhoff wrote:
> Damyan Ivanov wrote:
> > The first three affect all versions of the package
> > (sarge-etch-lenny-sid). Note that in lenny/sid the package is renamed to
> > firebird1.5, sarge and etch use firebird2 name.
> > 
> > CVE-2006-7211 was patched locally so debian packages are not vulnerable
> > in all suites.
> > 
> > CVE-2006-7214 and CVE-2006-7212 cannot be easily fixed. The upstream
> > release (2.0.x) that fixes these is a major rework and back-porting
> > means adopting the new release (quoting upstream, my impression too).
> > This is practically impossible for (old)stable. Even if we want to apply
> > the iceweasel approach, the new upstream release requires migration of
> > the databases so this is infeasible for stable/oldstable.
> > 
> > CVE-2006-7213 can be fixed by the patch based on that change
> > 
> > http://firebird.cvs.sourceforge.net/firebird/firebird2/src/jrd/jrd.cpp?r1=1.206&r2=1.207
> > 
> > I've consulted with upstream and decided to schedule firebird1.5 for
> > removal from unstable/testing because it is no longer supported by them.
> > 
> > I guess removing firebird2 from stable/oldstable is not an option? :/
> 
> If upstream asserts the a backport would be very instrusive and hard to
> fix, that is still the option of last resort. We at least would need to
> send out a DSA that it is no longer supported and announce that it will
> be removed from stable/oldstable. Can you provide a Etch backport of 2.x
> on backports.org as an alternative?
> 
> Fortunately firebird2 has hardly any users. 
> 
> What's more important, what indication do we have that such a situation
> won't re-occur?

ping
 
Cheers,
        Moritz





More information about the pkg-firebird-general mailing list