[SECURITY] [DLA 2824-1] firebird3.0 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2824-1] firebird3.0 security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Sat, 20 Nov 2021 11:47:59 +0100
Message-id: <[🔎] 20211120104759.GA12314@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2824-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
November 20, 2021                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : firebird3.0
Version        : 3.0.1.32609.ds4-14+deb9u1
CVE ID         : CVE-2017-11509

An authenticated remote attacker can execute arbitrary code in
Firebird, a relational database based on InterBase 6.0, by executing a
malformed SQL statement. The only known solution is to disable
external UDF libraries from being loaded. In order to achieve this,
the default configuration has changed to UdfAccess=None. This will
prevent the fbudf module from being loaded, but may also break other
functionality relying on modules.

For Debian 9 stretch, this problem has been fixed in version
3.0.1.32609.ds4-14+deb9u1.

We recommend that you upgrade your firebird3.0 packages.

For the detailed security status of firebird3.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firebird3.0

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmGY0gkACgkQDTl9HeUl
XjAOyw/9HcamAr+80IXL0LHojaZiXh/jlyi6Qhu5I5vx2jaCcTbYm51WQyoLNdQ/
TpGKoWdN8oz3FDz35R/7rKYHYUYwYoDMuLfWE9bHasnmp8e/JyqKVvsn5/TEtF2w
NSPxQPg7yJb7L4Dkhr5xKnRngK0bMuq9b1Ty8jlhuj8/F5Xfb1xg2F39WOuY9jcP
RTAExS+urSCY+vlhJPho4rLjh0Zu5ehGhL3O3QeBIv3+pIQt+NGmZqccshIda8QY
ziQZzWMjyTw4LtpecO6D0sZtE/qLXp/5v2S49/DN4JvIESOccag6LstVv4Mljfu+
xmL0hntZm7mIJWB3reu7df26x/jTwvVsEU3aBoKpkzzaCKuxHSn5WOD8Um+hPH+p
3wMI43IMLRONFYNPrh+c2kv/taoeCWg8XyZrw+oKggdiEmP0NrOa+68LkIcETPnR
mJ21anuL8QNUgkkTNPA7j09Sn7FTKEQl+dthJjGRbbAqc3glWu0gfNmVLYb3sPtg
2VzhqtmXlr6eT1MVaDKYbhIw0PKWBI3lSF7aLuLLu/QUd1kfrnjEvyz6vTxcYdri
8wWVqwfn2jCVoUOJZTd9T0H0OwZhtImTWXJqx0VZXpNhtnDHHQOlQ54NaXNTNtdt
VCWmjGoO84TslQwwYbyB7Ev1UIo7+tXeOz/NypTloeciO9jFRoE=
=Dr/b
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2823-1] salt security update
Next by Date: [SECURITY] [DLA 2823-2] salt regression update
Previous by thread: [SECURITY] [DLA 2823-1] salt security update
Next by thread: [SECURITY] [DLA 2823-2] salt regression update
Index(es):
- Date
- Thread