Your message dated Sun, 17 Aug 2025 19:54:19 +0000
with message-id <[email protected]>
and subject line Bug#1111322: fixed in firebird4.0 4.0.6.3221.ds6-1
has caused the Debian Bug report #1111322,
regarding firebird4.0: CVE-2025-24975
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: firebird4.0
Version: 4.0.5.3140.ds6-17
Severity: important
Tags: security upstream
Forwarded: https://github.com/FirebirdSQL/firebird/issues/8429
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for firebird4.0.
CVE-2025-24975[0]:
| Firebird is a relational database. Prior to snapshot versions
| 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if
| ExtConnPoolSize is not set equal to 0. If connections stored in
| ExtConnPool are not verified for presence and suitability of the
| CryptCallback interface is used when created versus what is
| available could result in a segfault in the server process.
| Encrypted databases, accessed by execute statement on external, may
| be accessed later by an attachment missing a key to that database.
| In a case when execute statement are chained, segfault may happen.
| Additionally, the segfault may affect unencrypted databases. This
| issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610,
| and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for
| this issue involves setting ExtConnPoolSize equal to 0 in
| firebird.conf.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-24975
https://www.cve.org/CVERecord?id=CVE-2025-24975
[1] https://github.com/FirebirdSQL/firebird/issues/8429
[2]
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-fx9r-rj68-7p69
[3]
https://github.com/FirebirdSQL/firebird/commit/658abd20449f72097fbbce57e8e6ae42ff837fb6
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: firebird4.0
Source-Version: 4.0.6.3221.ds6-1
Done: Damyan Ivanov <[email protected]>
We believe that the bug you reported is fixed in the latest version of
firebird4.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Damyan Ivanov <[email protected]> (supplier of updated firebird4.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Aug 2025 19:24:26 +0000
Source: firebird4.0
Architecture: source
Version: 4.0.6.3221.ds6-1
Distribution: unstable
Urgency: medium
Maintainer: Damyan Ivanov <[email protected]>
Changed-By: Damyan Ivanov <[email protected]>
Closes: 1111320 1111322
Changes:
firebird4.0 (4.0.6.3221.ds6-1) unstable; urgency=medium
.
* rename default branch to debian/unstable
* turn off pristine-tar in gbp.conf
* rename upstream branch to upstream/latest
* New upstream version 4.0.6.3221.ds6
Closes: #1111320 (CVE-2025-54989)
Closes: #1111322 (CVE-2025-24975)
* rebase and refresh patches
* drop debian/source/local-options
* declare conformance with Policy 4.7.2 (no changes needed)
* declare origin of upstream/std-c++-17.patch
Checksums-Sha1:
e0850c75036ccba2fa5df84ab4648dda3f70d69a 3141 firebird4.0_4.0.6.3221.ds6-1.dsc
7f3a1620172da7b94edaad831ec26aa803c2980d 3933896
firebird4.0_4.0.6.3221.ds6.orig.tar.xz
84755dd7f8f7ad4c4e6fb75ae1bfd6c85d8bd442 101724
firebird4.0_4.0.6.3221.ds6-1.debian.tar.xz
a9bb3f976a75b28d617dca35bd853c698db28bdc 10807704
firebird4.0_4.0.6.3221.ds6-1.git.tar.xz
1eba16abea8f6697aae4dd882dc8ed9a23fa8451 18106
firebird4.0_4.0.6.3221.ds6-1_source.buildinfo
Checksums-Sha256:
db4266de977a3bf77ea830d8177acfeadbbbde76c9767557eca38d4247eae77b 3141
firebird4.0_4.0.6.3221.ds6-1.dsc
56db88c174f3b41b145f493e912954dcdb88ed3eb898a26ec282a5e3b56b19a3 3933896
firebird4.0_4.0.6.3221.ds6.orig.tar.xz
aa1c42aa4cc2b1cf17ab49efc29aa90ea7109da683d9484096ae6c3f2438e4a2 101724
firebird4.0_4.0.6.3221.ds6-1.debian.tar.xz
c5cc238db9eee13aca4d5c78d25f9d6bab84ec459e1689578c6c6eb7e8577a22 10807704
firebird4.0_4.0.6.3221.ds6-1.git.tar.xz
bf8c5227252051dd46f16f2ee739b48e1e5d16809e59b570079b0a33b87b49d0 18106
firebird4.0_4.0.6.3221.ds6-1_source.buildinfo
Files:
c51f01c0e364104a4b0cc46afb5dc879 3141 database optional
firebird4.0_4.0.6.3221.ds6-1.dsc
4e6abecbcb43b3dd12560ad6cab79812 3933896 database optional
firebird4.0_4.0.6.3221.ds6.orig.tar.xz
bb00c83ebf23237eb47c355c7ffdeb43 101724 database optional
firebird4.0_4.0.6.3221.ds6-1.debian.tar.xz
d96b8a58bc037212dd61f7f7b37870a8 10807704 database optional
firebird4.0_4.0.6.3221.ds6-1.git.tar.xz
14aa13ba60044de6b284327f5d883e56 18106 database optional
firebird4.0_4.0.6.3221.ds6-1_source.buildinfo
Git-Tag-Info: tag=b010947107dd29484a688e4923f1dfe98df56758
fp=aea0c44ecb056e93630d9d33dbbe9d4d99d2a004
Git-Tag-Tagger: Damyan Ivanov <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmiiL+YACgkQYG0ITkaD
wHmWPBAA3hqpkWALJrdIEcDVcA2lBxoB2Rpvaee7GIe9z8iiPwR8OnFrnfEVUTMt
ialQXBIZFI/zJgv+CflG3bAjnVKqZq2FqnjfWVqpV/zdjNK6EA2KOzgq7z4Vck3I
kA/ilj76DfTpVP4BifkuLefgQBumvTHNslVWJk8WG2dVdl74Iohae1cg4ChJct9q
sK/Q9bVjhZA7qLJpbecd7BSe5Z+r1DbkC83koN9RU2U+P9KzCS+EWwxkMmcfN7+Y
PqRSpGwXYhlOyZnTckEiWQkGZeW5vJ94IW+ZzoNUfD8x3FASc1Tdlsl+kDtMV0Sl
lJgXl6nntQzNQpHl3zdRo1Ok2uSSx6TFAj5tZPkF22J2kC3KxDtGTcSVSc24TviS
taDKXC25C9puV8/gdskSXdpQ/+BzlDEhHgxO2oYM9KL1sgooeroI7QPvgNCFHdRo
tE/ej1XCYj0IDcFY8qDLKcnvKoW/LpWM30IclGyNfN6P7y9srETJ/qfK13+QZt2L
rU5pQzwzq/UQkRQlSBqg2HyJPF11XOdMv5zF7h5FIDRMWtB7jH7fZYSsfn7MQdLq
uomeF7Xzdm5tg3zCXonOympVCKdLDHEohaYgnDbBX1aKjY72+yczPs1Y/Ejg5Wio
+wAlR4/smCqfhwoR7XevC0FBep0Q5cbdPoC4Iub/x+WXjLSkGBE=
=zmo0
-----END PGP SIGNATURE-----
pgpDk83cV5CrW.pgp
Description: PGP signature
--- End Message ---
