[pkg-firebird-general] Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Moritz Muehlenhoff
jmm at inutil.org
Thu Dec 27 19:58:35 UTC 2007
Damyan Ivanov wrote:
> The first three affect all versions of the package
> (sarge-etch-lenny-sid). Note that in lenny/sid the package is renamed to
> firebird1.5, sarge and etch use firebird2 name.
>
> CVE-2006-7211 was patched locally so debian packages are not vulnerable
> in all suites.
>
> CVE-2006-7214 and CVE-2006-7212 cannot be easily fixed. The upstream
> release (2.0.x) that fixes these is a major rework and back-porting
> means adopting the new release (quoting upstream, my impression too).
> This is practically impossible for (old)stable. Even if we want to apply
> the iceweasel approach, the new upstream release requires migration of
> the databases so this is infeasible for stable/oldstable.
>
> CVE-2006-7213 can be fixed by the patch based on that change
>
> http://firebird.cvs.sourceforge.net/firebird/firebird2/src/jrd/jrd.cpp?r1=1.206&r2=1.207
>
> I've consulted with upstream and decided to schedule firebird1.5 for
> removal from unstable/testing because it is no longer supported by them.
>
> I guess removing firebird2 from stable/oldstable is not an option? :/
If upstream asserts the a backport would be very instrusive and hard to
fix, that is still the option of last resort. We at least would need to
send out a DSA that it is no longer supported and announce that it will
be removed from stable/oldstable. Can you provide a Etch backport of 2.x
on backports.org as an alternative?
Fortunately firebird2 has hardly any users.
What's more important, what indication do we have that such a situation
won't re-occur?
Cheers,
Moritz
More information about the pkg-firebird-general
mailing list