We are working with Inprise/Borland/Interbase on fixes for all
platforms that ship with InterBase.
I expect we will release these fixes soon.
Best Regards,
/Gordon Garb
>I don't think it's out, yet Borland released a batch for every single
>platform other than Cobalt 'cause I guess not much people are using IB on
>the Cobalt. The same applies to the APOP current problem. I think they need
>to start improving the response time for such issues 'cause new technologies
>are introduced every day and as a Cobalt owner/developer there should be a
>quick turn over for these technologies to be added for us to use. From this
>point of view, I guess the Cobalt is doing great since the Raq 4 has PHP,
>ASP, and variety of choices that can be activated in an easy way. I won't
>even be surprised if the next Cobalt had a ready to use JVM for Servlets,
>Beans, and others. The weakness I guess in my thinking is found in how to
>provide continuous updates and stuff like that in a timely manner for the
>Cobalt Community. I'm not attacking Cobalt or have anything against them,
>and we like the product and use it, however if we can't keep the machine up
>up-to-date within a reasonable timeframe then what's the idea of using the
>product as opposed to using a Linux Machine. Information regarding
>installing, updating the Linux is spread every where but for the Cobalt we
>depend on Cobalt Staff so our business depends on how fast the Support Team
>can provide us with instructions of doing an update, install, etc...
>
>I don't have much experience with the rpm and pkg files, yet I know that the
>Cobalt supports rpm thus if a pkg file takes time, then why not posting an
>rpm that would install to the right directories. This way at least you give
>an option for us to look up information on rpms and do the install without
>any problems...
>
>
>Kal
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Peter Ball
>Sent: Friday, January 26, 2001 6:36 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [cobalt-developers] Interbase Warning
>
>
>Hi Tim, or anyone from Cobalt,
>
>Any idea when the bug fix for this will be released by Cobalt? Or has it
>been released and I missed it?
>
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Jon
>Rosenberg
>Sent: Thursday, 11 January 2001 8:33 AM
>To: [EMAIL PROTECTED]
>Subject: [cobalt-developers] Interbase Warning
>
>
>For those of you using Interbase:
>
>CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door
>Account
>
> Original release date: January 10, 2001
> Last revised: --
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
>Systems Affected
>
> * Borland/Inprise Interbase 4.x and 5.x
> * Open source Interbase 6.0 and 6.01
> * Open source Firebird 0.9-3 and earlier
>
>Overview
>
> Interbase is an open source database package that had previously been
> distributed in a closed source fashion by Borland/Inprise. Both the
> open and closed source verisions of the Interbase server contain a
> compiled-in back door account with a known password.
>
>I. Description
>
> Interbase is an open source database package that is distributed by
> Borland/Inprise at http://www.borland.com/interbase/ and on
> SourceForge. The Firebird Project, an alternate Interbase package, is
> also distributed on SourceForge. The Interbase server for both
> distributions contains a compiled-in back door account with a fixed,
> easily located plaintext password. The password and account are
> contained in source code and binaries previously made available at the
> following sites:
>
> http://www.borland.com/interbase/
> http://sourceforge.net/projects/interbase
> http://sourceforge.net/projects/firebird
> http://firebird.sourceforge.net
> http://www.ibphoenix.com
> http://www.interbase2000.com
>
> This back door allows any local user or remote user able to access
> port 3050/tcp [gds_db] to manipulate any database object on the
> system. This includes the ability to install trapdoors or other trojan
> horse software in the form of stored procedures. In addition, if the
> database software is running with root privileges, then any file on
> the server's file system can be overwritten, possibly leading to
> execution of arbitrary commands as root.
>
> This vulnerability was not introduced by unauthorized modifications to
> the original vendor's source. It was introduced by maintainers of the
> code within Borland. The back door account password cannot be changed
> using normal operational commands, nor can the account be deleted from
> existing vulnerable servers [see References].
>
> This vulnerability has been assigned the identifier CAN-2001-0008 by
> the Common Vulnerabilities and Exposures (CVE) group:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008
>
> The CERT/CC has not received reports of this back door being exploited
> at the current time. We do recommend, however, that all affected sites
> and redistributors of Interbase products or services follow the
> recommendations suggested in Section III, as soon as possible due to
> the seriousness of this issue.
>
>II. Impact
>
> Any local user or remote user able to access port 3050/tcp [gds_db]
> can manipulate any database object on the system. This includes the
> ability to install trapdoors or other trojan horse software in the
> form of stored procedures. In addition, if the database software is
> running with root privileges, then any file on the server's file
> system can be overwritten, possibly leading to execution of arbitrary
> commands as root.
>
>III. Solution
>
>Apply a vendor-supplied patch
>
> Both Borland and The Firebird Project on SourceForge have published
> fixes for this problem. Appendix A contains information provided by
> vendors supplying these fixes. We will update the appendix as we
> receive more information. If you do not see your vendor's name, the
> CERT/CC did not hear from that vendor. Please contact your vendor
> directly.
>
> Users who are more comfortable making their own changes in source code
> may find the new code available on SourceForge useful as well:
>
> http://sourceforge.net/projects/interbase
> http://sourceforge.net/projects/firebird
>
>Block access to port 3050/tcp
>
> This will not, however, prevent local users or users within a
> firewall's adminstrative boundary from accessing the back door
> account. In addition, the port the Interbase server listens on may be
> changed dynamically at startup.
>
>Appendix A. Vendor Information
>
>Borland
>
> Please see:
>
> http://www.borland.com/interbase/
>
>IBPhoenix
>
> The Firebird project uncovered serious security problems with
> InterBase. The problems are fixed in Firebird build 0.9.4 for all
> platforms. If you are running either InterBase V6 or Firebird 0.9.3,
> you should upgrade to Firebird 0.9.4.
>
> These security holes affect all version of InterBase shipped since
> 1994, on all platforms.
>
> For those who can not upgrade, Jim Starkey developed a patch program
> that will correct the more serious problems in any version of
> InterBase on any platform. IBPhoenix chose to release the program
> without charge, given the nature of the problem and our relationship
> to the community.
>
> At the moment, name service is not set up to the machine that is
> hosting the patch, so you will have to use the IP number both for the
> initial contact and for the ftp download.
>
> To start, point your browser at
>
> http://firebird.ibphoenix.com/
>
>Apple
>
> The referenced database package is not packaged with Mac OS X or Mac
> OS X Server.
>
>Fujitsu
>
> Fujitsu's UXP/V operating system is not affected by this problem
> because we don't support the relevant database.
>
>References
>
> 1. VU#247371: Borland/Inprise Interbase SQL database server contains
> backdoor superuser account with known password CERT/CC,
> 01/10/2001, https://www.kb.cert.org/vuls/id/247371
> _________________________________________________________________
>
> Author: This document was written by Jeffrey S Havrilla. Feedback on
> this advisory is appreciated.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2001-01.html
> ______________________________________________________________________
>
>CERT/CC Contact Information
>
> Email: [EMAIL PROTECTED]
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
>Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to [EMAIL PROTECTED] Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
>January 10, 2001: Initial release
>
>
>
>_______________________________________________
>cobalt-developers mailing list
>[EMAIL PROTECTED]
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
>_______________________________________________
>cobalt-developers mailing list
>[EMAIL PROTECTED]
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
>
>_________________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.com address at http://mail.yahoo.com
>
>_______________________________________________
>cobalt-developers mailing list
>[EMAIL PROTECTED]
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
--
-- --
Gordon Garb gordon.garb @sun.com
Senior Manager - Developer Relations
http://developer.cobalt.com/
http://www.cobalt.com/solutions
Cobalt Networks -- the Sun Microsystems Server Appliance Business Unit
555 Ellis Street +1 650 623-2501 fax
Mountain View, CA 94043 USA +1 650 623-2534 voice
_______________________________________________
cobalt-developers mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-developers
