Hi Damyan On Sun, Mar 10, 2013 at 11:17:35AM +0200, Damyan Ivanov wrote: > -=| Moritz Muehlenhoff, 04.03.2013 18:59:53 +0100 |=- > > On Sun, Jan 20, 2013 at 11:40:54PM +0900, Hideki Yamane wrote: > > > On Wed, 14 Nov 2012 23:14:51 +0200 > > > Damyan Ivanov <d...@debian.org> wrote: > > > > > Forwarded: http://tracker.firebirdsql.org/browse/CORE-3884 > > > > > > > > > > With trace enabled, preparing an empty query crashes the server on > > > > > line 91 of > > > > > /src/jrd/trace/TraceDSQLHelpers.h, since the dereferenced m_request > > > > > variable is > > > > > NULL. > > > > > > > > > > Tagged as 'security' since this is a remote crash, although it > > > > > requires a valid > > > > > user/pass. > > > > > > > > This issue has assigned CVE-2012-5529. > > > > > > Probably you know, it was fixed in upstream svn and they released 2.5.2. > > > I've attached a patch (build fine with pbuilder), please check and apply > > > it. > > > > Firebird maintainers, > > can you please fix this for Wheezy? > > Hm, what about squeeze, which is also affected? Attached is a (source) > debdiff against the version in squeeze. Should it go via > stable-security or stable-updates?
I checked the security-tracker about this[1]. It is marked 'no-dsa' for Squeeze, so I assume this should go trough a stable-proposed-updates upload. [1]: https://security-tracker.debian.org/CVE-2012-5529 Thanks for your work on the update! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org