Debian Bug report logs - #432753
CVE-2006-7211 to 7214 : unfixed in firebird1.5

Package: firebird2-server-common; Maintainer for firebird2-server-common is (unknown);

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Wed, 11 Jul 2007 19:15:01 UTC

Severity: normal

Tags: security

Done: Damyan Ivanov <dmn@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Date: Wed, 11 Jul 2007 21:13:05 +0200
Package: firebird1.5
Severity: normal
Tags: security


These issues are reported to be fixed in 2.0, but I can't find any references in
the changelogs that they are fixed in 1.5:


CVE-2006-7214

Multiple unspecified vulnerabilities in Firebird 1.5 allow remote attackers to
(1) cause a denial of service (application crash) by sending many remote
protocol versions; and (2) cause a denial of service (connection drop) via
certain network traffic, as demonstrated by Nessus vulnerability scanning.

CVE-2006-7213

Firebird 1.5 allows remote authenticated users without SYSDBA and owner
permissions to overwrite a database by creating a database.

CVE-2006-7212

Multiple buffer overflows in Firebird 1.5, one of which affects WNET, have
unknown impact and attack vectors. NOTE: this issue might overlap CVE-2006-1240.

CVE-2006-7211

fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semaphore
array, which allows local users to cause a denial of service (blocked query
processing) by locking semaphores.



http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7211
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 432753@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: 432753@bugs.debian.org
Subject: CVE-2006-7211 already fixed
Date: Wed, 11 Jul 2007 21:19:19 +0200
Hi,

it seems I was wrong about CVE-2006-7211, which is probably #362001 
fixed in 1.5.3.4870-4.

Cheers,
Stefan



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 432753@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: Stefan Fritsch <sf@sfritsch.de>, 432753@bugs.debian.org
Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 already fixed
Date: Thu, 12 Jul 2007 13:49:21 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -=| Stefan Fritsch, 11.07.2007 22:19 |=-

Hi, Stefan,

Thank you very much for taking time to investigate these CVEs.

> it seems I was wrong about CVE-2006-7211, which is probably #362001 
> fixed in 1.5.3.4870-4.

One less. This is good :)

If you have time, you may want to take a look ath
http://bugs.debian.org/src:firebird2

firebird2 was renamed to firebird1.5 after Etch release.

I am with limited connectivity until the end of the week.

If I may add one more wish, can you try to reproduce these bugs with
current firebird1.5 packages? Note there are two flavours -
firebird1.5-super and firebird1.5-classic.

Thanks again,
	dam
- --
Damyan Ivanov            JabberID: dam@jabber.minus273.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlgcxHqjlqpcl9jsRArzLAKC5OlGdwZ6r0n0VZbcu/vPpCb7HVACfbi7y
34EQVT1B1DQ10GNSU5xqbHo=
=TfJG
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 432753@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Damyan Ivanov <dam@modsoftsys.com>
Cc: Stefan Fritsch <sf@sfritsch.de>, 432753@bugs.debian.org
Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 already fixed
Date: Mon, 13 Aug 2007 00:49:59 +0200
Damyan Ivanov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -=| Stefan Fritsch, 11.07.2007 22:19 |=-
> 
> Hi, Stefan,
> 
> Thank you very much for taking time to investigate these CVEs.

It's been a month now. Is firebird in stable affected?

If you can't figure it out yourself as the maintainer you need to
contact upstream.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 432753@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: firebird-devel@lists.sourceforge.net
Cc: 432753@bugs.debian.org
Subject: Old 1.5 security issues question
Date: Tue, 14 Aug 2007 23:33:07 +0300
Dear Firebird developers,

I've got a bug report for the debian packages for firebrid 1.5 that I
can't handle myself. I would be grateful for some insights.

http://bugs.debian.org/432753

There is some uncertainty about four CVE issues with regard of their
presence in Firebird 1.5.3.

Two of these
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
    CVE-2006-7213
    Firebird 1.5 allows remote authenticated users without SYSDBA and
    owner permissions to overwrite a database by creating a database.
and
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7211
    CVE-2006-7211
    fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the
    semaphore array, which allows local users to cause a denial of
    service (blocked query processing) by locking semaphores.
are unreproducible with Debian packages and thus are not that interesting.

The other two, however are rather unclear as of how to reproduce or
whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments:

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
    CVE-2006-7214
    Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
    attackers to (1) cause a denial of service (application crash) by
    sending many remote protocol versions; and (2) cause a denial of
    service (connection drop) via certain network traffic, as
    demonstrated by Nessus vulnerability scanning.

    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
    CVE-2006-7212
    Multiple buffer overflows in Firebird 1.5, one of which affects
    WNET, have unknown impact and attack vectors. NOTE: this issue might
    overlap CVE-2006-1240.

As far as I can tell, the existence of the issues is deduced from
firebird 2.0 release notes, which are not very clear about what exactly
the problem is and how to reproduce it.

Your comments are much appreciated. Please carbon-copy
432753@bugs.debian.org in your replies.
-- 
dam                   JabberID: dam@jabber.minus273.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Alex Peshkov <peshkoff@mail.ru>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 432753@bugs.debian.org (full text, mbox):

From: Alex Peshkov <peshkoff@mail.ru>
To: firebird-devel@lists.sourceforge.net
Cc: 432753@bugs.debian.org
Subject: Re: [Firebird-devel] Old 1.5 security issues question
Date: Wed, 15 Aug 2007 10:32:22 +0400
On Wednesday 15 August 2007 00:33, Damyan Ivanov wrote:
> Dear Firebird developers,
>
> I've got a bug report for the debian packages for firebrid 1.5 that I
> can't handle myself. I would be grateful for some insights.
>

//....

> The other two, however are rather unclear as of how to reproduce or
> whether they are fixed in 1.5.3 (or 1.5.4) so I'd appreciate your comments:

In brief - firebird 1.5 is not supported any more. It was decided not to have 
any more point releases of it.

>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
>     CVE-2006-7214
>     Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
>     attackers to (1) cause a denial of service (application crash) by
>     sending many remote protocol versions; and (2) cause a denial of
>     service (connection drop) via certain network traffic, as
>     demonstrated by Nessus vulnerability scanning.

This one in theory can be fixed - backporting from HEAD is possible.

>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
>     CVE-2006-7212
>     Multiple buffer overflows in Firebird 1.5, one of which affects
>     WNET, have unknown impact and attack vectors. NOTE: this issue might
>     overlap CVE-2006-1240.

They are so multiple that it's close to impossible to backport them. Moreover, 
fixes for some of them are based on new collection of classes, introduced in 
2.0. I.e. firebird after fixing all BOFs will not be 1.5 any more :)

> As far as I can tell, the existence of the issues is deduced from
> firebird 2.0 release notes, which are not very clear about what exactly
> the problem is and how to reproduce it.
>
> Your comments are much appreciated. Please carbon-copy
> 432753@bugs.debian.org in your replies.

Alex.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 432753@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: firebird-devel@lists.sourceforge.net
Cc: 432753@bugs.debian.org
Subject: Re: [Firebird-devel] Old 1.5 security issues question
Date: Wed, 15 Aug 2007 10:05:15 +0300
[please keep Cc: 432753@bugs.debian.org as before. Thanks!]

Hi, Alex,

Thank you for taking time to reply.

-=| Alex Peshkov, 15.08.2007 09:32 |=-
> On Wednesday 15 August 2007 00:33, Damyan Ivanov wrote:

> In brief - firebird 1.5 is not supported any more. It was decided not to have 
> any more point releases of it.

Understood.

>>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
>>     CVE-2006-7214
>>     Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
>>     attackers to (1) cause a denial of service (application crash) by
>>     sending many remote protocol versions; and (2) cause a denial of
>>     service (connection drop) via certain network traffic, as
>>     demonstrated by Nessus vulnerability scanning.
> 
> This one in theory can be fixed - backporting from HEAD is possible.

OK. I don't require that you make the porting. I just need some clues
about what exactly the problems are (instructions how to reproduce them
would be nice) and where to look at for fixes. Is this feasible?
I really would not want to take too much time from you.

>>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
>>     CVE-2006-7212
>>     Multiple buffer overflows in Firebird 1.5, one of which affects
>>     WNET, have unknown impact and attack vectors. NOTE: this issue might
>>     overlap CVE-2006-1240.
> 
> They are so multiple that it's close to impossible to backport them. Moreover, 
> fixes for some of them are based on new collection of classes, introduced in 
> 2.0. I.e. firebird after fixing all BOFs will not be 1.5 any more :)

I see. Unfortunately we can't just drop 2.0 as a replacement for 1.5 in
Debian/stable, because "stable" is meant to not offer *any* surprises
and migration from 1.5 to 2.0 is far from trivial.

Can you estimate to what extentt 1.5.4 suffers from this, compared to 1.5.3?
-- 
dam            JabberID: dam@jabber.minus273.org



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Alex Peshkov <peshkoff@mail.ru>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 432753@bugs.debian.org (full text, mbox):

From: Alex Peshkov <peshkoff@mail.ru>
To: firebird-devel@lists.sourceforge.net
Cc: 432753@bugs.debian.org
Subject: Re: [Firebird-devel] Old 1.5 security issues question
Date: Wed, 15 Aug 2007 11:27:39 +0400
On Wednesday 15 August 2007 11:05, Damyan Ivanov wrote:
> >>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7214
> >>     CVE-2006-7214
> >>     Multiple unspecified vulnerabilities in Firebird 1.5 allow remote
> >>     attackers to (1) cause a denial of service (application crash) by
> >>     sending many remote protocol versions; and (2) cause a denial of
> >>     service (connection drop) via certain network traffic, as
> >>     demonstrated by Nessus vulnerability scanning.
> >
> > This one in theory can be fixed - backporting from HEAD is possible.
>
> OK. I don't require that you make the porting. I just need some clues
> about what exactly the problems are (instructions how to reproduce them
> would be nice) and where to look at for fixes. Is this feasible?
> I really would not want to take too much time from you.

No 1 is specially dangerous cause easy to reproduce (with 2.0 I failed to kill 
server with Nessus - may be did not run it long enough).
There is fixed size CNCT_VERSIONS plain-C array p_cnct_versions (see 
op_connect in protocol.cpp, bool_t xdr_protocol(XDR* xdrs, PACKET* p)). I 
think that comparing one from 1.5 and HEAD will give you clear idea what 
happens. To reliably reproduce an issue I was building a special client that 
was sending >10 kinds of suggested protocol to server. I did not keep it 
after fixing a bug.

> >>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7212
> >>     CVE-2006-7212
> >>     Multiple buffer overflows in Firebird 1.5, one of which affects
> >>     WNET, have unknown impact and attack vectors. NOTE: this issue might
> >>     overlap CVE-2006-1240.
> >
> > They are so multiple that it's close to impossible to backport them.
> > Moreover, fixes for some of them are based on new collection of classes,
> > introduced in 2.0. I.e. firebird after fixing all BOFs will not be 1.5
> > any more :)
>
> I see. Unfortunately we can't just drop 2.0 as a replacement for 1.5 in
> Debian/stable, because "stable" is meant to not offer *any* surprises
> and migration from 1.5 to 2.0 is far from trivial.
>
> Can you estimate to what extentt 1.5.4 suffers from this, compared to
> 1.5.3?

Some are fixed, most not.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Adriano dos Santos Fernandes <adrianosf@uol.com.br>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #45 received at 432753@bugs.debian.org (full text, mbox):

From: Adriano dos Santos Fernandes <adrianosf@uol.com.br>
To: firebird-devel@lists.sourceforge.net
Cc: 432753@bugs.debian.org
Subject: Re: [Firebird-devel] Old 1.5 security issues question
Date: Wed, 15 Aug 2007 07:31:48 -0300
Damyan Ivanov escreveu:
> Dear Firebird developers,
>
> I've got a bug report for the debian packages for firebrid 1.5 that I
> can't handle myself. I would be grateful for some insights.
>
> http://bugs.debian.org/432753
>
> There is some uncertainty about four CVE issues with regard of their
> presence in Firebird 1.5.3.
>
> Two of these
>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
>     CVE-2006-7213
>     Firebird 1.5 allows remote authenticated users without SYSDBA and
>     owner permissions to overwrite a database by creating a database.
>   
SF #1155520 - Any user can replace databases created by others


Adriano




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #50 received at 432753@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: adrianosf@uol.com.br
Cc: 432753@bugs.debian.org
Subject: Re: [pkg-firebird-general] Bug#432753: [Firebird-devel] Old 1.5 security issues question
Date: Wed, 15 Aug 2007 15:09:57 +0300
[Message part 1 (text/plain, inline)]
-=| Adriano dos Santos Fernandes, 15.08.2007 13:31 |=-
>>     http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7213
>>     CVE-2006-7213
>>     Firebird 1.5 allows remote authenticated users without SYSDBA and
>>     owner permissions to overwrite a database by creating a database.
>> 
> SF #1155520 - Any user can replace databases created by others

Thanks, Adriano for the pointer.

I looked this up in CVS and I must admit that the change is not present
in 1.5.3 (stable) *and* 1.5.4 (unstable/testing). The code also gave me
a different attack vector. I'll try reproducing this soon.

Note to self: try to replace existing database with "gbak -r", being
non-owner, non-sysdba user.
-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #55 received at 432753@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: 432753@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Date: Mon, 20 Aug 2007 13:29:03 +0300
[Message part 1 (text/plain, inline)]
clone 432753 -1 -2
retitle -2 firebird1.x is not supported by upstream any more
severity -2 serious
thanks

-=| Stefan Fritsch, 11.07.2007 22:13 |=-
> These issues are reported to be fixed in 2.0, but I can't find any references in
> the changelogs that they are fixed in 1.5:
> 
> 
> CVE-2006-7214
> 
> Multiple unspecified vulnerabilities in Firebird 1.5 allow remote attackers to
> (1) cause a denial of service (application crash) by sending many remote
> protocol versions; and (2) cause a denial of service (connection drop) via
> certain network traffic, as demonstrated by Nessus vulnerability scanning.
> 
> CVE-2006-7213
> 
> Firebird 1.5 allows remote authenticated users without SYSDBA and owner
> permissions to overwrite a database by creating a database.
> 
> CVE-2006-7212
> 
> Multiple buffer overflows in Firebird 1.5, one of which affects WNET, have
> unknown impact and attack vectors. NOTE: this issue might overlap CVE-2006-1240.
> 
> CVE-2006-7211
> 
> fb_lock_mgr in Firebird 1.5 uses weak permissions (0666) for the semaphore
> array, which allows local users to cause a denial of service (blocked query
> processing) by locking semaphores.

Here's the current status:

The first three affect all versions of the package
(sarge-etch-lenny-sid). Note that in lenny/sid the package is renamed to
firebird1.5, sarge and etch use firebird2 name.

CVE-2006-7211 was patched locally so debian packages are not vulnerable
in all suites.

CVE-2006-7214 and CVE-2006-7212 cannot be easily fixed. The upstream
release (2.0.x) that fixes these is a major rework and back-porting
means adopting the new release (quoting upstream, my impression too).
This is practically impossible for (old)stable. Even if we want to apply
the iceweasel approach, the new upstream release requires migration of
the databases so this is infeasible for stable/oldstable.

CVE-2006-7213 can be fixed by the patch based on that change

http://firebird.cvs.sourceforge.net/firebird/firebird2/src/jrd/jrd.cpp?r1=1.206&r2=1.207

I've consulted with upstream and decided to schedule firebird1.5 for
removal from unstable/testing because it is no longer supported by them.

I guess removing firebird2 from stable/oldstable is not an option? :/

I can prepare packages that fix CVE-2006-7213 for etch and sarge.
-7212 and -7214 can't be fixed, though. What do we do?
-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, attachment)]

Bug 432753 cloned as bugs 438854, 438855. Request was from Damyan Ivanov <dam@modsoftsys.com> to control@bugs.debian.org. (Mon, 20 Aug 2007 10:30:05 GMT) Full text and rfc822 format available.

Reply sent to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #62 received at 432753-done@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: 446472-done@bugs.debian.org, 446475-done@bugs.debian.org, 446373-done@bugs.debian.org, 438855-done@bugs.debian.org, 432753-done@bugs.debian.org
Subject: Closing security bugs of removed firebird1.5
Date: Fri, 23 Nov 2007 07:59:50 +0200
[Message part 1 (text/plain, inline)]
With the removal of firebird1.5 from the archive, its security bugs are
no longer a concern.

firebird1.5 is removed as upstream has no intent of providing any kind
of support to it, including security support.
-- 
dam            JabberID: dam@jabber.minus273.org
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 21 Dec 2007 07:30:58 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Damyan Ivanov <dmn@debian.org> to control@bugs.debian.org. (Mon, 07 Jan 2008 12:51:01 GMT) Full text and rfc822 format available.

Bug reopened, originator not changed. Request was from Damyan Ivanov <dmn@debian.org> to control@bugs.debian.org. (Mon, 07 Jan 2008 12:51:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #73 received at 432753@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Damyan Ivanov <dam@modsoftsys.com>, 432753@bugs.debian.org, team@security.debian.org
Subject: Re: [pkg-firebird-general] Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Date: Thu, 10 Jan 2008 22:30:36 +0100
Damyan Ivanov wrote:
> -=| Moritz Muehlenhoff, Thu, Dec 27, 2007 at 08:58:35PM +0100 |=-
> > Damyan Ivanov wrote:
> > > I guess removing firebird2 from stable/oldstable is not an option? :/
> > 
> > If upstream asserts the a backport would be very instrusive and hard to
> > fix, that is still the option of last resort. We at least would need to
> > send out a DSA that it is no longer supported and announce that it will
> > be removed from stable/oldstable. Can you provide a Etch backport of 2.x
> > on backports.org as an alternative?
> 
> Yes, I will.

Great, will this be done through backports.org? Once ready, please send me
a link and I'll send an advisory, which mentions the open vulnerabilities
and which refers to the backport as a solution.

>  Meanwhile, despite their "1.5 is dead" opinion from last
> August, Firebird project released version 1.5.5 in Deccember.
> 
> From release notes
>     This sub-release otherwise addresses some security vulnerabilities
>     reported by RISE Security[1] which were closed in Firebird 2.0.3.
>     Those fixes have been back-ported to Firebird 1.5.5
> 
>     [1] http://www.risesecurity.org/advisory/RISE-2007003/
> 
> The link says these are CVE-2007-5245 (bts #446475) and CVE-2007-5246
> (#446472). It is unclear to me if there are the same as CVE-2006-7214
> and CVE-2006-7212.
> 
> I still think that dropping firebird2 from stable is better than
> patching and watching it for another year (or more) especially with
> upstream's "it is not supported" from August 2007.

Since this only covers a small subset of all issues and given that
there are still several unfixed vulnerabilities present, we should
indeed go for the complete drop.
 
> > What's more important, what indication do we have that such a situation
> > won't re-occur?
> 
> Now we have 2.0 in sid/testing. Upstream plans for a 2.1 release "soon".
> There is a beta1 release and my expectations are for a full release
> before March. *If* this timeline is fullfilled, then firebird2.1 would
> get released with Lenny. Otherwise Lenny will stay with firebird2.0.
> 
> In any case, I think we're safe from the same situation because:
>   (from upstream's explaination)
>   * 2.1's lifespan is expected to be rather long (2009/2010), as the
>     next major step (3.0) will be again a revolution and its adoption is
>     expected to be slow. There will be a period when both 2.x and 3.0
>     will be supported.
>   * 2.1 is more of an evolutionary step from 2.0 so backporting fixes
>     should be possible.

Ok.
 
> With firebird1.5 removal from sid, I've closed the security bugs against
> it. Was that wrong? Should I reopen them as they are still present in
> stable?
> (firebird2 source (etch) was renamed to frebird1.5 (ex-sid/lenny))

No, that not needed. We don't use the BTS very much, it's all tracked
in http://security-tracker.debian.net/tracker/

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Martin Michlmayr <tbm@cyrius.com>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #78 received at 432753@bugs.debian.org (full text, mbox):

From: Martin Michlmayr <tbm@cyrius.com>
To: Stefan Fritsch <sf@sfritsch.de>, 432753@bugs.debian.org
Subject: Re: Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Date: Fri, 20 Jun 2008 20:19:37 +0200
* Stefan Fritsch <sf@sfritsch.de> [2007-07-11 21:13]:
> Package: firebird1.5
> 
> These issues are reported to be fixed in 2.0, but I can't find any references in
> the changelogs that they are fixed in 1.5:

I cannot find firebird1.5 in Debian anymore.  Can this bug be closed?

-- 
Martin Michlmayr
http://www.cyrius.com/




Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#432753; Package firebird1.5. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. Full text and rfc822 format available.

Message #83 received at 432753@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Martin Michlmayr <tbm@cyrius.com>
Cc: 432753@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Date: Fri, 20 Jun 2008 22:38:21 +0200
reassign 432753 firebird2-server-common
thanks

On Friday 20 June 2008, Martin Michlmayr wrote:
> > These issues are reported to be fixed in 2.0, but I can't find
> > any references in the changelogs that they are fixed in 1.5:
>
> I cannot find firebird1.5 in Debian anymore.  Can this bug be
> closed?

The firebird2 source package in etch is actually firebird 1.5. It's no 
longer in lenny or sid, though.




Bug reassigned from package `firebird1.5' to `firebird2-server-common'. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. (Fri, 20 Jun 2008 20:39:07 GMT) Full text and rfc822 format available.

Reply sent to Damyan Ivanov <dmn@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #90 received at 432753-done@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dmn@debian.org>
To: 432753-done@bugs.debian.org
Subject: Re: [pkg-firebird-general] Processed: Re: Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
Date: Sat, 21 Jun 2008 12:54:06 +0300
[Message part 1 (text/plain, inline)]
-=| Debian Bug Tracking System, Fri, Jun 20, 2008 at 08:39:07PM +0000 |=-
> > reassign 432753 firebird2-server-common
> Bug#432753: CVE-2006-7211 to 7214 : unfixed in firebird1.5
> Warning: Unknown package 'firebird1.5'
> Bug reassigned from package `firebird1.5' to `firebird2-server-common'.

The oficial security support for firebird2 (version 1.5) was ceased 
with DSA-1529[1]. Closing the bug.

    [1] http://www.debian.org/security/2008/dsa-1529

-- 
dam            JabberID: dam@jabber.minus273.org
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 20 Jul 2008 07:28:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 18:58:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.