Debian bug fixed : CVE-2017-6369: authenticated remote execution in firebird 2.5 before version 3.0.2

Leave a comment

We believe that the bug you reported is fixed in the latest version of
firebird3.0, which is due to be installed in the Debian FTP archive.

 * Apply commit 56e9a73c168 from upstream B3_0_Release branch
    fixing authenticated remote execution vulnerability (CVE-2017-6369,
    CORE-5474)
    Closes: #858644

Forwarded: http://tracker.firebirdsql.org/browse/CORE-5474

Authenticated Firebird users are allowed to declare UDFs (user-defined
functions). The default config allows using all entry points from the standard
UDF library, which is dynamically linked with libc, with its symbols
re-exported, including system().

Relevant upstream commits for 3.0:
https://github.com/FirebirdSQL/firebird/commit/8b2a9cb44bf6055e15f016d70a6842b8ada60375

tagged with ,
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply