openSUSE has issued an advisory today (February 19): https://lists.opensuse.org/opensuse-updates/2017-02/msg00093.html Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated firebird packages fix security vulnerability: A serious security problem existed with the access to undesired external modules, even if 'Restrict' configuration mode was specified for UdfAccess (CORE-5474). References: https://sourceforge.net/p/firebird/mailman/message/35666077/ http://tracker.firebirdsql.org/browse/CORE-5474 https://lists.opensuse.org/opensuse-updates/2017-02/msg00093.html ======================== Updated packages in core/updates_testing: ======================== firebird-2.5.3.26778-4.1.mga5 firebird-classic-2.5.3.26778-4.1.mga5 firebird-superclassic-2.5.3.26778-4.1.mga5 firebird-superserver-2.5.3.26778-4.1.mga5 firebird-devel-2.5.3.26778-4.1.mga5 firebird-utils-classic-2.5.3.26778-4.1.mga5 firebird-utils-superserver-2.5.3.26778-4.1.mga5 firebird-utils-common-2.5.3.26778-4.1.mga5 libfbclient2-2.5.3.26778-4.1.mga5 libfbembed2-2.5.3.26778-4.1.mga5 firebird-server-classic-2.5.3.26778-4.1.mga5 firebird-server-superserver-2.5.3.26778-4.1.mga5 firebird-server-common-2.5.3.26778-4.1.mga5 from firebird-2.5.3.26778-4.1.mga5.src.rpm
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
URL: (none) => https://lwn.net/Vulnerabilities/715043/
MGA5-32 on Asus A6000VM Xfce All packages do not install as one cannot install firebird-classic AND the "super" versions together. Used bug 8046 as test procedure as root: # systemctl start firebird-classic.socket # systemctl -l status firebird-classic.socket â firebird-classic.socket - Firebird Classic Activation Socket Loaded: loaded (/usr/lib/systemd/system/firebird-classic.socket; disabled) Active: active (listening) since di 2017-02-21 14:56:47 CET; 20s ago Listen: [::]:3050 (Stream) Accepted: 0; Connected: 0 As normal user: $ isql-fb localhost:employee -user SYSDBA -password masterkey Database: localhost:employee, User: SYSDBA SQL> create table t (col1 int, col2 int, col3 int); SQL> insert into t values (100, 200, 300); SQL> insert into t values (101, 201, 301); SQL> insert into t values (102, 202, 302); SQL> commit; SQL> select * from t; COL1 COL2 COL3 ============ ============ ============ 100 200 300 101 201 301 102 202 302 SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 ); COL2 COL3 ============ ============ 200 300 201 301 202 302 SQL> alter table t drop col1; SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 ); COL2 COL3 ============ ============ 200 300 201 301 202 302 SQL> commit; SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 ); COL2 COL3 ============ ============ 200 300 201 301 202 302 SQL> drop table t; Statement failed, SQLSTATE = 42000 unsuccessful metadata update -object TABLE "T" is in use SQL> commit; SQL> drop table t; SQL> exit;
CC: (none) => herman.viaene
Whiteboard: advisory => advisory MGA5-32-OK
Testing M5_64 BEFORE the update Installed from issued repositories: firebird-server-common-2.5.3.26778-4.mga5 firebird-server-classic-2.5.3.26778-4.mga5 firebird-classic-2.5.3.26778-4.mga5 firebird-utils-common-2.5.3.26778-4.mga5 firebird-utils-classic-2.5.3.26778-4.mga5 Ran the tests as indicated by Herman above from https://bugs.mageia.org/show_bug.cgi?id=8046#c0 [but where did you find out about socket rather than service - which does not exist?] # systemctl start firebird-classic.socket # systemctl status firebird-classic.socket â firebird-classic.socket - Firebird Classic Activation Socket Loaded: loaded (/usr/lib/systemd/system/firebird-classic.socket; disabled) Active: active (listening) since Sul 2017-02-26 20:50:57 CET; 32s ago Listen: [::]:3050 (Stream) Accepted: 0; Connected: 0 $ isql-fb localhost:employee -user SYSDBA -password masterkey Database: localhost:employee, User: SYSDBA SQL> create table t (col1 int, col2 int, col3 int); SQL> insert into t values (100, 200, 300); SQL> insert into t values (101, 201, 301); SQL> insert into t values (102, 202, 302); SQL> commit; SQL> select * from t; ... SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 ); ... SQL> alter table t drop col1; SQL> commit; SQL> select col2, col3 from t as t1 where exists (select * from t as t2 order by t1.col2 ); ... SQL> commit; SQL> drop table t; SQL> commit; SQL> exit; ... = same output as shown in Comment 1. # systemctl stop firebird-classic.socket AFTER the update (accepted to use the rpmnew file): firebird-utils-classic-2.5.3.26778-4.1.mga5 firebird-utils-common-2.5.3.26778-4.1.mga5 firebird-server-classic-2.5.3.26778-4.1.mga5 firebird-server-common-2.5.3.26778-4.1.mga5 firebird-classic-2.5.3.26778-4.1.mga5 The entire root & user commands and output the same as previously. Update OK. Validating, advisory already in place.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0068.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
@Lewis I don't remember and apparently did not make a note of it. Probably some other update bug for firebird.
According to Debian, this is CVE-2017-6369: https://www.debian.org/security/2017/dsa-3824
Summary: firebird new security issue CORE-5474 => firebird new security issue CORE-5474 (CVE-2017-6369)