firebird2.0 security bug is now fixed in debian/gentoo

There is an grave security bug in firebird package 2.0 from debian and ubuntu
where an user can connect to the server with SYSDBA and NO password

The bug is now fixed in debian sid (unstable)

http://packages.debian.org/sid/firebird2.0-super
and here is the changelog

firebird2.0-super.init: stop exporting ISC_USER and ISC_PASSWORD.
Fixes a hole causing remote connections as user SYSDBA to succeed
without giving a password.
Closes: #481389 and CVE-2008-1880

Here is the commit diff http://git.debian.org/?p=pkg-firebird/2.0.git;a=commit;h=db15b5744dd70864062bea0cefc15dfc74c33b66

An quick fix if you have an firebird2.0 debian/ubuntu package is to delete these lines in the /etc/init.d/firebird2.0-super

ISC_USER=sysdba
ISC_PASSWORD=masterkey
[ -r “$DBAPasswordFile” ] && . “$DBAPasswordFile”
export ISC_USER
export ISC_PASSWORD

Or get the git version of the package and copy the init script

$git-clone git://git.debian.org/git/pkg-firebird/2.0
$sudo cp 2.0/debian/firebird2.0-super.init /etc/init.d/firebird2.0-super
$/etc/init.d/firebird2.0-super restart

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply