[pkg-firebird-general] Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5

Moritz Muehlenhoff jmm at inutil.org
Thu Dec 27 19:58:35 UTC 2007


Damyan Ivanov wrote:
> The first three affect all versions of the package
> (sarge-etch-lenny-sid). Note that in lenny/sid the package is renamed to
> firebird1.5, sarge and etch use firebird2 name.
> 
> CVE-2006-7211 was patched locally so debian packages are not vulnerable
> in all suites.
> 
> CVE-2006-7214 and CVE-2006-7212 cannot be easily fixed. The upstream
> release (2.0.x) that fixes these is a major rework and back-porting
> means adopting the new release (quoting upstream, my impression too).
> This is practically impossible for (old)stable. Even if we want to apply
> the iceweasel approach, the new upstream release requires migration of
> the databases so this is infeasible for stable/oldstable.
> 
> CVE-2006-7213 can be fixed by the patch based on that change
> 
> http://firebird.cvs.sourceforge.net/firebird/firebird2/src/jrd/jrd.cpp?r1=1.206&r2=1.207
> 
> I've consulted with upstream and decided to schedule firebird1.5 for
> removal from unstable/testing because it is no longer supported by them.
> 
> I guess removing firebird2 from stable/oldstable is not an option? :/

If upstream asserts the a backport would be very instrusive and hard to
fix, that is still the option of last resort. We at least would need to
send out a DSA that it is no longer supported and announce that it will
be removed from stable/oldstable. Can you provide a Etch backport of 2.x
on backports.org as an alternative?

Fortunately firebird2 has hardly any users. 

What's more important, what indication do we have that such a situation
won't re-occur?

Cheers,
        Moritz




More information about the pkg-firebird-general mailing list