*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: firebird2.0-super See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481389 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1880 The init.d script exports ISC_PASSWORD into the environment before starting fbguard. fbguard itself spawns fbserver process without cleaning environment. fbserver uses ISC_PASSWORD from the environment when remote connection does not supply a password. This makes it possible to connect remotely as SYSDBA user without giving a password. That last part is already fixed in upstream CVS HEAD, but backporting the change is reported to be non-trivial. All versions are affected ** Affects: firebird2.0 (Ubuntu) Importance: Undecided Status: New ** Affects: firebird2.0 (Debian) Importance: Unknown Status: Unknown ** Visibility changed to: Public ** Bug watch added: Debian Bug tracker #481389 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481389 ** Also affects: firebird2.0 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481389 Importance: Unknown Status: Unknown -- allows passwordless SYSDBA login https://bugs.launchpad.net/bugs/232420 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs