[pkg-firebird-general] Wheezy update of firebird2.5?
marius adrian popa
mapopa at gmail.com
Thu Apr 12 13:49:26 UTC 2018
The only fix for current releses (2.5/3.0) is disabling udf access in
config by default
UdfAccess = None
Response from Alexander Peshkov
"That's fixed in FB4 - loading UDFs is denied by default configuration, use
of them is deprecated, replacement is UDRs which are nt affected by
mentioned vulnerability.
In FB3 one should be sysdba or granted special right to declare extrernal
functions. This does not solve the problem - just makes it a bit less
dangerous.
We can't do something better with this, therefore no fixes for current
releases."
On Wed, Apr 4, 2018 at 10:54 PM, Damyan Ivanov <dmn at debian.org> wrote:
> -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=-
> > Dear maintainer(s),
> >
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of firebird2.5:
> > https://security-tracker.debian.org/tracker/source-package/firebird2.5
> >
> > Would you like to take care of this yourself?
>
> Sorry, no.
>
> AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the
> security team advised against updating that for stable, and the issue
> is still open in unstable.
>
> According to the researchers discovering it, upstream refused to fix
> it :( so the only "fix" I am aware of is the change in the default
> config to disable the vulnerable functionality. You can find the patch
> for firebird3.0 at
> https://salsa.debian.org/firebird-team/firebird3.0/commit/
> 5ad1c64f67ce9f091a2b747fa54519ef7d144698
>
> It is perhaps not directly applicable to firebid2.5, but should help
> regardless.
>
>
> Good luck!
>
> _______________________________________________
> pkg-firebird-general mailing list
> pkg-firebird-general at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/
> pkg-firebird-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-firebird-general/attachments/20180412/81b1e8be/attachment.html>
More information about the pkg-firebird-general
mailing list