Bug#481408: marked as done (Debian package allows passwordless SYSDBA remote connections)

Debian Bug Tracking System Tue, 20 May 2008 12:55:31 -0700

Your message dated Tue, 20 May 2008 19:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#481408: fixed in firebird2.1 2.1.0.17798-0.ds1-3
has caused the Debian Bug report #481408,
regarding Debian package allows passwordless SYSDBA remote connections
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
481408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481408
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: firebird2.0-super
Version: 2.0.3.12981.ds1-13
Severity: grave
Tags: security

The only reason for this to not be of critical severity is that database
services are typically firewalled.

This is CVE-2008-1880[1]

    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880

The init.d script used by Debian packages exports ISC_PASSWORD into the
environment before starting fbguard. fbguard itself spawns fbserver
process without cleaning environment.

fbserver uses ISC_PASSWORD from the environment when remote connection
does not supply a password. This makes it possible to connect remotely
as SYSDBA user without giving a password.

That last part is already fixed in upstream CVS HEAD, but backporting
the change is reported to be non-trivial.

So the way to close the hole is to stop exporting ISC_PASSWORD in the
init.d script. That variable is used only for stopping the server and
there is another way to achieve this -- via start-stop-daemon and a PID
file.

I am working on the implementation.

--
    dam

--- End Message ---

--- Begin Message ---

Source: firebird2.1
Source-Version: 2.1.0.17798-0.ds1-3

We believe that the bug you reported is fixed in the latest version of
firebird2.1, which is due to be installed in the Debian FTP archive:

firebird2.1-classic_2.1.0.17798-0.ds1-3_i386.deb
  to pool/main/f/firebird2.1/firebird2.1-classic_2.1.0.17798-0.ds1-3_i386.deb
firebird2.1-common_2.1.0.17798-0.ds1-3_i386.deb
  to pool/main/f/firebird2.1/firebird2.1-common_2.1.0.17798-0.ds1-3_i386.deb
firebird2.1-dev_2.1.0.17798-0.ds1-3_all.deb
  to pool/main/f/firebird2.1/firebird2.1-dev_2.1.0.17798-0.ds1-3_all.deb
firebird2.1-doc_2.1.0.17798-0.ds1-3_all.deb
  to pool/main/f/firebird2.1/firebird2.1-doc_2.1.0.17798-0.ds1-3_all.deb
firebird2.1-examples_2.1.0.17798-0.ds1-3_all.deb
  to pool/main/f/firebird2.1/firebird2.1-examples_2.1.0.17798-0.ds1-3_all.deb
firebird2.1-server-common_2.1.0.17798-0.ds1-3_i386.deb
  to 
pool/main/f/firebird2.1/firebird2.1-server-common_2.1.0.17798-0.ds1-3_i386.deb
firebird2.1-super_2.1.0.17798-0.ds1-3_i386.deb
  to pool/main/f/firebird2.1/firebird2.1-super_2.1.0.17798-0.ds1-3_i386.deb
firebird2.1_2.1.0.17798-0.ds1-3.diff.gz
  to pool/main/f/firebird2.1/firebird2.1_2.1.0.17798-0.ds1-3.diff.gz
firebird2.1_2.1.0.17798-0.ds1-3.dsc
  to pool/main/f/firebird2.1/firebird2.1_2.1.0.17798-0.ds1-3.dsc
libfbclient2_2.1.0.17798-0.ds1-3_i386.deb
  to pool/main/f/firebird2.1/libfbclient2_2.1.0.17798-0.ds1-3_i386.deb
libfbembed2.1_2.1.0.17798-0.ds1-3_i386.deb
  to pool/main/f/firebird2.1/libfbembed2.1_2.1.0.17798-0.ds1-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <[EMAIL PROTECTED]> (supplier of updated firebird2.1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 20 May 2008 21:49:33 +0300
Source: firebird2.1
Binary: firebird2.1-super firebird2.1-classic libfbclient2 libfbembed2.1 
firebird2.1-common firebird2.1-server-common firebird2.1-dev 
firebird2.1-examples firebird2.1-doc
Architecture: source all i386
Version: 2.1.0.17798-0.ds1-3
Distribution: experimental
Urgency: low
Maintainer: Debian Firebird Group <[EMAIL PROTECTED]>
Changed-By: Damyan Ivanov <[EMAIL PROTECTED]>
Description: 
 firebird2.1-classic - Firebird Classic Server - an RDBMS based on InterBase 
6.0 code
 firebird2.1-common - common files for firebird 2.1 servers and clients
 firebird2.1-dev - Development files for Firebird - an RDBMS based on InterBase 
6.0 
 firebird2.1-doc - Documentation files for firebird database version 2.1
 firebird2.1-examples - Examples for Firebird - an RDBMS based on InterBase 6.0 
code
 firebird2.1-server-common - common files for firebird 2.1 servers
 firebird2.1-super - Firebird Super Server - an RDBMS based on InterBase 6.0 
code
 libfbclient2 - Firebird client library
 libfbembed2.1 - Firebird embedded client/server library
Closes: 481408 481467
Changes: 
 firebird2.1 (2.1.0.17798-0.ds1-3) experimental; urgency=low
 .
   * firebird2.1-super.init: stop exporting ISC_USER and ISC_PASSWORD.
     Closes: #481408
   * fix fix-mipseb-detect.patch; s/MIPS/MIPSEB/ in pag.cpp CLASS
     definition too; Closes: #481467 -- FTBFS on mips
   * refresh all patches using --no-timestamps --no-index -p ab
Checksums-Sha1: 
 1a65cc792e1bfb24d2acc17b2e5fdca520a36ff5 1659 
firebird2.1_2.1.0.17798-0.ds1-3.dsc
 8b41af09570c2979bd8b8f6ebf218c47e0047399 209197 
firebird2.1_2.1.0.17798-0.ds1-3.diff.gz
 f9477d99a89328c7639e51ee99a18b75cadf23e9 523166 
firebird2.1-dev_2.1.0.17798-0.ds1-3_all.deb
 d7af68d436e4efdc7068b89ed95cec7ac92d389a 629024 
firebird2.1-examples_2.1.0.17798-0.ds1-3_all.deb
 a34f33277380e502e0a4c012c35104009868fdf7 1464486 
firebird2.1-doc_2.1.0.17798-0.ds1-3_all.deb
 1dbb2a5ddeceee1bc3e2f79d9677e09d06f45fe1 3398088 
firebird2.1-super_2.1.0.17798-0.ds1-3_i386.deb
 79cf6ad7e3eb45ada7fec271b52341d57289b879 1960996 
firebird2.1-classic_2.1.0.17798-0.ds1-3_i386.deb
 13be1aa6fc1eb5bd4c6ef7be020792c5840a65b3 753882 
libfbclient2_2.1.0.17798-0.ds1-3_i386.deb
 6b19a3cd870709371969cfe74d5c11f3bcd01edb 1860928 
libfbembed2.1_2.1.0.17798-0.ds1-3_i386.deb
 5dfafbf1aca4164144cef51edeefd7119f95acfd 932992 
firebird2.1-common_2.1.0.17798-0.ds1-3_i386.deb
 0e586dc18b8a5e5b32db1a822ca4bc136b45320c 599938 
firebird2.1-server-common_2.1.0.17798-0.ds1-3_i386.deb
Checksums-Sha256: 
 20395a08948118085ecc92662de28cc0a32f069fb90553aee07b35e25d1d290f 1659 
firebird2.1_2.1.0.17798-0.ds1-3.dsc
 91dea2c4d12984c1fd066f10eea4b0884ac0a3f3967a99ec0842b73289bc8d39 209197 
firebird2.1_2.1.0.17798-0.ds1-3.diff.gz
 c93041391a3523c50afe9c0ff5990bdbf14382aeb55ccbda1a94395c99d793b0 523166 
firebird2.1-dev_2.1.0.17798-0.ds1-3_all.deb
 8e299511dc6316b44bcef4a18aade348068c7f8f2a0b3cc51aceb126962fa6f1 629024 
firebird2.1-examples_2.1.0.17798-0.ds1-3_all.deb
 756883702e34c97f9ecf46d13c0af82a34795f60d45d478e69882ee4e85edb9a 1464486 
firebird2.1-doc_2.1.0.17798-0.ds1-3_all.deb
 9b08c4452f6fbe42e977a4f26556a93f2b393227cbb82df5a7b258b0cad2f0e6 3398088 
firebird2.1-super_2.1.0.17798-0.ds1-3_i386.deb
 3bfc97cb228700248538cd9f99a1bd254d58e835476b8ab87806f87a32ab823d 1960996 
firebird2.1-classic_2.1.0.17798-0.ds1-3_i386.deb
 56d15560be6120f56a40eb958e59577d100bb66f218767c30f02032ad4a4004d 753882 
libfbclient2_2.1.0.17798-0.ds1-3_i386.deb
 9664296928cf2d28c2ec887fd6c137ccfbdcf862e4c6bf2acbc0ed1cfa06ce1c 1860928 
libfbembed2.1_2.1.0.17798-0.ds1-3_i386.deb
 cc7f324962bd918abf357eb9b4c35aca3a9f40a40535975a22fe8e0913bd0cc2 932992 
firebird2.1-common_2.1.0.17798-0.ds1-3_i386.deb
 605c4f44e323fae0e943758ed35f280047590c5cf01761f78d48d5164a8068dc 599938 
firebird2.1-server-common_2.1.0.17798-0.ds1-3_i386.deb
Files: 
 142721b0f14b6a5e882bb428903e818c 1659 misc optional 
firebird2.1_2.1.0.17798-0.ds1-3.dsc
 eb79dc16efcf81a6880a02f6ac6e38d2 209197 misc optional 
firebird2.1_2.1.0.17798-0.ds1-3.diff.gz
 d46d3cd7d491b133a8ca5b94aeb12234 523166 libdevel optional 
firebird2.1-dev_2.1.0.17798-0.ds1-3_all.deb
 bfefae737788c359219670be4378032c 629024 doc optional 
firebird2.1-examples_2.1.0.17798-0.ds1-3_all.deb
 45d4fbe0f920404744f3c658320afc55 1464486 doc optional 
firebird2.1-doc_2.1.0.17798-0.ds1-3_all.deb
 84a5958ab04498dae117b3afb6481298 3398088 misc optional 
firebird2.1-super_2.1.0.17798-0.ds1-3_i386.deb
 805069f7d64ec650faf6e4564f3fb12f 1960996 misc optional 
firebird2.1-classic_2.1.0.17798-0.ds1-3_i386.deb
 3efc4a5af7e366bee7922160dbae0435 753882 libs optional 
libfbclient2_2.1.0.17798-0.ds1-3_i386.deb
 7eecbf62b6b283c89290e6f42f9b231f 1860928 libs optional 
libfbembed2.1_2.1.0.17798-0.ds1-3_i386.deb
 156aead9a82d249aa44478a50e56b4c9 932992 misc optional 
firebird2.1-common_2.1.0.17798-0.ds1-3_i386.deb
 4df7a7f21379b5612f0753953db0d110 599938 misc optional 
firebird2.1-server-common_2.1.0.17798-0.ds1-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIMygyHqjlqpcl9jsRAmaPAKCNSPXKm5mpZd7Cgl3b7tfFWtvJpQCggkl7
peqWS1cwmviX6y7uutI80Bk=
=lrM9
-----END PGP SIGNATURE-----

--- End Message ---

Bug#481408: marked as done (Debian package allows passwordless SYSDBA remote connections)

Reply via email to