| Summary: | dev-db/firebird < 2.0.2 Multiple Vulnerabilities (CVE-2007-{466[456789],5246}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matt Fleming (RETIRED) <mjf> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | drizzt, max.dittrich, wltjr |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/26615/ | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Matt Fleming (RETIRED)
2007-08-31 00:18:15 UTC
Cc'ing maintainers and setting whiteboard status. Wasn't even aware of release. I will see about bumping asap. I was in the process of moving to opt. Guess I will pause on that for now. Ok, I have bumped the ebuild and it compiled and seems to be good to go. If others can test, and if no problems we can look to rush stabilize. arches, please stabilise dev-db/firebird-2.0.2.12964.0 x86 stable *** Bug 192274 has been marked as a duplicate of this bug. *** Firebird 2.0.2 is Recalled The Firebird 2.0.2 release has been recalled due to a significant regression that has shown up (Tracker Issue CORE-1434). Our sincere apologies for the inconvenience. A release candidate for v.2.0.3 will follow shortly. http://tracker.firebirdsql.org/browse/CORE-1434 (2.0.3_rc1 is out, BTW). (In reply to comment #7) > Firebird 2.0.2 is Recalled Yeah not sure what's going on with apps I love and have never had issues with. ASSP and Firebird :( > (2.0.3_rc1 is out, BTW). Not really. It's a pre-release, and I can't download sources. :( http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1 404 (In reply to comment #8) > Not really. It's a pre-release, and I can't download sources. :( > > http://www.firebirdsql.org/index.php?op=files&id=fb203_rc1 Works fine here. (In reply to comment #9) > > Works fine here. So you can download sources? http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2 404 (In reply to comment #10) > So you can download sources? > http://www.firebirdsql.org/download/prerelease/Firebird-2.0.3.12981-0.tar.bz2 > 404 The link is wrong, but this works: http://www.firebirdsql.org/download/prerelease/source/Firebird-2.0.3.12981-0.tar.bz2 ok, thanks, a URL is what I needed for ebuild :) Ok pre-release committed to tree. I didn't tag it as such atm. Should be moot since if upstream does another 2.0.3 release, the build number will have gone up :) Thanks William. Arches, please test and stabilize dev-db/firebird-2.0.3.12981.0. Target keywords: "amd64 x86" x86 stable amd64 stable If severity level stays that way, glsa voting is now open. In case of a GLSA, there's also CVE-2007-4669 not covered by the Secunia advisory. You might want to review it, too. I tend to vote NO. I tend to vote NO too, though the 4th "unspecified issue" with the MAX_PATH_LEN might imply code execution :/ I usually vote noglsa for unspecified vulnerabilities with unknown impact. Plus, the DoS vulnerabilities by opening several connections or sending large packets could happen all the time. Perhaps, there is CVE-2007-4669, but i don't know if the logfile would provide much sensible information. I vote no, and closing. Feel free to reopen if you disagree. Just as further info, unless a user is doing something abnormal with logging sensitive stuff to the log file. Having access to it's contents is quite moot IMHO. It hardly reveals much if anything. Other than maybe if someone were beating on a db server trying to take it down. While viewing logs at the same time to see any signs of distress. |