| Summary: | dev-db/firebird: malformed network packet can cause denial of service (CVE-2014-9323) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1172445 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
+*firebird-2.5.3.26780.0 (11 Dec 2014) + + 11 Dec 2014; Pacho Ramos <pacho@gentoo.org> +firebird-2.5.3.26780.0.ebuild, + -files/70firebird, -files/firebird-2.5.0.26074.0-Makefile.in.static.createdb, + -files/firebird-update-valgrind.patch, -files/firebird.conf.d, + -files/firebird.conf.d.2, -files/firebird.init.d, -files/firebird.xinetd.2, + -files/xinetd.2, -firebird-2.5.2.26540.0.ebuild: + Fix security bug 532124 + All should be done with this CVE-2014-9323 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9323): The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status. Closing as noglsa per our policy |
From ${URL} : It was found that an unauthenticated remote attacker could send a malformed network packet to a firebird server, which would cause the server to crash. http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011/ http://tracker.firebirdsql.org/browse/CORE-4630 http://sourceforge.net/p/firebird/code/60331/ @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.