Bug 26288

Summary: firebird new security issue CVE-2017-11509
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Philippe Makowski <makowski.mageia>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: guillomovitch
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO
Source RPM: firebird-3.0.5.33220-2.mga8.src.rpm CVE:
Status comment: UDFs need to be disabled by default to mitigate

Description David Walser 2020-03-02 21:16:18 CET 
Debian-LTS has issued an advisory on February 29:
https://www.debian.org/lts/security/2020/dla-2129

They mitigated it by disabling UDFs in the default configuration, as there is no actual fix.  Our advisory will need to tell people to fix it in their own configs.

Mageia 7 is also affected.
David Walser 2020-03-02 21:16:49 CET

Status comment: (none) => UDFs need to be disabled by default to mitigate
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-03-03 18:56:30 CET 
Assigning to Philippe as registered & active maintainer; CC Guillaume as a recent maintainer.

CC: (none) => guillomovitch
Assignee: bugsquad => makowski.mageia

Comment 2 Philippe Makowski 2020-11-14 10:38:50 CET 
CVE :
https://nvd.nist.gov/vuln/detail/CVE-2017-6369


Upstream tracker :
http://tracker.firebirdsql.org/browse/CORE-5474
Upstream commit:
https://github.com/FirebirdSQL/firebird/commit/56e9a73c16803c3544076edb2d6c4ca25815e541

I think that Firebird 3.0.4 (mga7) and Firebird 3.0.7 (cauldron) are not affected

see also :
https://www.securityfocus.com/bid/97070

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 3 David Walser 2020-11-14 15:53:17 CET 
Agreed.

Resolution: FIXED => INVALID

Comment 4 Philippe Makowski 2021-11-23 14:22:04 CET 
*** Bug 29678 has been marked as a duplicate of this bug. ***