News via oss-sec and [pkg-firebird-general] mailing list
A denial of service flaw was found in the way the TraceManager of
Firebird, performed preparation of an empty dynamic SQL query. When the trace mode was
enabled, a remote, authenticated database user could use this flaw
to cause the Firebird server to crash with a NULL pointer dereference.
References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693210
Relevant upstream patch: 
New release implemented support for Firebird (contributed by Bernardo and Miroslav)
Please test it only on your own servers to discover injection flaws.
Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking
over of database servers.
Great PPT from Alex Peshkoff (Firebird Core developer) regarding Firebird Security is published: http://bit.ly/3ITICI
via ibsurgeon’s tweet
Someone is using firebird 2.1.3 inside a chroot cage , there were some issues but in the end he solved them
I’m trying to build a database in a chrooted MontaVista environment. My host OS is Fedora Linux 10. I chroot into the MV installation and try to build the database
I have updated my repository with the security patches (it’s the same source package from karmic/debian that includes the security fixes) , I still have to finish to create the dapper ones (need to create an kvm machine for it)
I also deleted the old Feisty and Gutsy packages from repository (EOL releases and you must upgrade to the supported ones)
About a month ago there was a question in Firebird (CZ) group how to find whether the user is able to use particular role or to get all roles for user.
As you probably know, a lot of stuff (almost everything) is in system catalog (system tables). The only problem is to figure out what’s the right set of parameters to use. To get all roles with users able to use it, you can use …
There’s an article on the Firebird Documentation web-page about Firebird File and Metadata Security. Since this is an interesting topic to our customers, I took the time to translate it to German.
The article describes the fundamental problems in securing network connections. One of the biggest problem is key management. Since the Firebird server is usually controlled by and installed at the client’s site, you don’t have any control over it. So, theoretically, someone could always build his own Firebird server to spy on the password. But that’s only one of the problems discussed.
Many thanks to Geoff Worboys, the author of the original article, and Paul Vinkenoog for publishing it on the official web-site.
The other day another security issue (this sort of thing happens to the best of them) in Interbase that was fixed in January in Firebird already.
More rants on this page http://pooteeweet.org/blog/0/1118
Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x before 2.1.0 RC1, might allow remote attackers to execute arbitrary code via a long username.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0467 Read more