Source: firebird4.0 Version: 4.0.5.3140.ds6-17 Severity: important Tags: security upstream Forwarded: https://github.com/FirebirdSQL/firebird/issues/8429 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for firebird4.0. CVE-2025-24975[0]: | Firebird is a relational database. Prior to snapshot versions | 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if | ExtConnPoolSize is not set equal to 0. If connections stored in | ExtConnPool are not verified for presence and suitability of the | CryptCallback interface is used when created versus what is | available could result in a segfault in the server process. | Encrypted databases, accessed by execute statement on external, may | be accessed later by an attachment missing a key to that database. | In a case when execute statement are chained, segfault may happen. | Additionally, the segfault may affect unencrypted databases. This | issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, | and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for | this issue involves setting ExtConnPoolSize equal to 0 in | firebird.conf. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-24975 https://www.cve.org/CVERecord?id=CVE-2025-24975 [1] https://github.com/FirebirdSQL/firebird/issues/8429 [2] https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-fx9r-rj68-7p69 [3] https://github.com/FirebirdSQL/firebird/commit/658abd20449f72097fbbce57e8e6ae42ff837fb6 Regards, Salvatore
