[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Interbase Warning
- Subject: Re: [cobalt-developers] Interbase Warning
- From: "William L. Thomson Jr." <webmaster@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri Jan 26 21:05:24 2001
- Organization: Obsidian-Studios Inc.
- List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>
Just and idea, instead of fixing the existing one, why not make a patch to remove the CS and install
the SS as well as the necessary package. Kill two birds with one stone. SS edition has many more
advance uses which come in handy to DB admins, as far as DB efficiency, problems, connections, etc.
I understand that at the time Cobalt made the move towards IB CS was the only stable and non beta
version, but things have changed.
For anyone wanting to get serious with IB and Cobalt (at least in my case) find CS to be some what
useless, and leaves you hungry for more. All of the client side tools like I and InterBase
Workbench used to construct, reconstruct, maintain, and etc. will not work with CS, from what I have
seen and heard.
The only thing I am extremely thankful for is the Chili!Soft ASP ODBC driver for Interbase, since
most ODBC drivers for IB are not cheap, and somewhat rare. Without that I really would have no use
for IB on the RaQ.
What I am wondering is if the ODBC driver is really a modified version of InterClient, JDBC for IB?
Since Chili!ASP is a java based program.
Anyway a patch would be nice, but a patch and SS would be great. I know you can't have your cake
and eat it to, I found that out the hard way when I got the RaQ 4r. Ha ha.
Thoughts,
William L. Thomson Jr.
CEO
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone/fax 707.766.8989
http://www.obsidian-studios.com
----- Original Message -----
From: "Gordon Garb" <gordon.garb@xxxxxxx>
To: <cobalt-developers@xxxxxxxxxxxxxxx>
Sent: Friday, January 26, 2001 7:52 PM
Subject: RE: [cobalt-developers] Interbase Warning
> We are working with Inprise/Borland/Interbase on fixes for all
> platforms that ship with InterBase.
> I expect we will release these fixes soon.
>
> Best Regards,
> /Gordon Garb
>
> >I don't think it's out, yet Borland released a batch for every single
> >platform other than Cobalt 'cause I guess not much people are using IB on
> >the Cobalt. The same applies to the APOP current problem. I think they need
> >to start improving the response time for such issues 'cause new technologies
> >are introduced every day and as a Cobalt owner/developer there should be a
> >quick turn over for these technologies to be added for us to use. From this
> >point of view, I guess the Cobalt is doing great since the Raq 4 has PHP,
> >ASP, and variety of choices that can be activated in an easy way. I won't
> >even be surprised if the next Cobalt had a ready to use JVM for Servlets,
> >Beans, and others. The weakness I guess in my thinking is found in how to
> >provide continuous updates and stuff like that in a timely manner for the
> >Cobalt Community. I'm not attacking Cobalt or have anything against them,
> >and we like the product and use it, however if we can't keep the machine up
> >up-to-date within a reasonable timeframe then what's the idea of using the
> >product as opposed to using a Linux Machine. Information regarding
> >installing, updating the Linux is spread every where but for the Cobalt we
> >depend on Cobalt Staff so our business depends on how fast the Support Team
> >can provide us with instructions of doing an update, install, etc...
> >
> >I don't have much experience with the rpm and pkg files, yet I know that the
> >Cobalt supports rpm thus if a pkg file takes time, then why not posting an
> >rpm that would install to the right directories. This way at least you give
> >an option for us to look up information on rpms and do the install without
> >any problems...
> >
> >
> >Kal
> >
> >-----Original Message-----
> >From: cobalt-developers-admin@xxxxxxxxxxxxxxx
> >[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Peter Ball
> >Sent: Friday, January 26, 2001 6:36 PM
> >To: cobalt-developers@xxxxxxxxxxxxxxx
> >Subject: RE: [cobalt-developers] Interbase Warning
> >
> >
> >Hi Tim, or anyone from Cobalt,
> >
> >Any idea when the bug fix for this will be released by Cobalt? Or has it
> >been released and I missed it?
> >
> >
> >
> >-----Original Message-----
> >From: cobalt-developers-admin@xxxxxxxxxxxxxxx
> >[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Jon
> >Rosenberg
> >Sent: Thursday, 11 January 2001 8:33 AM
> >To: cobalt-developers@xxxxxxxxxxxxxxx
> >Subject: [cobalt-developers] Interbase Warning
> >
> >
> >For those of you using Interbase:
> >
> >CERT Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door
> >Account
> >
> > Original release date: January 10, 2001
> > Last revised: --
> > Source: CERT/CC
> >
> > A complete revision history is at the end of this file.
> >
> >Systems Affected
> >
> > * Borland/Inprise Interbase 4.x and 5.x
> > * Open source Interbase 6.0 and 6.01
> > * Open source Firebird 0.9-3 and earlier
> >
> >Overview
> >
> > Interbase is an open source database package that had previously been
> > distributed in a closed source fashion by Borland/Inprise. Both the
> > open and closed source verisions of the Interbase server contain a
> > compiled-in back door account with a known password.
> >
> >I. Description
> >
> > Interbase is an open source database package that is distributed by
> > Borland/Inprise at http://www.borland.com/interbase/ and on
> > SourceForge. The Firebird Project, an alternate Interbase package, is
> > also distributed on SourceForge. The Interbase server for both
> > distributions contains a compiled-in back door account with a fixed,
> > easily located plaintext password. The password and account are
> > contained in source code and binaries previously made available at the
> > following sites:
> >
> > http://www.borland.com/interbase/
> > http://sourceforge.net/projects/interbase
> > http://sourceforge.net/projects/firebird
> > http://firebird.sourceforge.net
> > http://www.ibphoenix.com
> > http://www.interbase2000.com
> >
> > This back door allows any local user or remote user able to access
> > port 3050/tcp [gds_db] to manipulate any database object on the
> > system. This includes the ability to install trapdoors or other trojan
> > horse software in the form of stored procedures. In addition, if the
> > database software is running with root privileges, then any file on
> > the server's file system can be overwritten, possibly leading to
> > execution of arbitrary commands as root.
> >
> > This vulnerability was not introduced by unauthorized modifications to
> > the original vendor's source. It was introduced by maintainers of the
> > code within Borland. The back door account password cannot be changed
> > using normal operational commands, nor can the account be deleted from
> > existing vulnerable servers [see References].
> >
> > This vulnerability has been assigned the identifier CAN-2001-0008 by
> > the Common Vulnerabilities and Exposures (CVE) group:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0008
> >
> > The CERT/CC has not received reports of this back door being exploited
> > at the current time. We do recommend, however, that all affected sites
> > and redistributors of Interbase products or services follow the
> > recommendations suggested in Section III, as soon as possible due to
> > the seriousness of this issue.
> >
> >II. Impact
> >
> > Any local user or remote user able to access port 3050/tcp [gds_db]
> > can manipulate any database object on the system. This includes the
> > ability to install trapdoors or other trojan horse software in the
> > form of stored procedures. In addition, if the database software is
> > running with root privileges, then any file on the server's file
> > system can be overwritten, possibly leading to execution of arbitrary
> > commands as root.
> >
> >III. Solution
> >
> >Apply a vendor-supplied patch
> >
> > Both Borland and The Firebird Project on SourceForge have published
> > fixes for this problem. Appendix A contains information provided by
> > vendors supplying these fixes. We will update the appendix as we
> > receive more information. If you do not see your vendor's name, the
> > CERT/CC did not hear from that vendor. Please contact your vendor
> > directly.
> >
> > Users who are more comfortable making their own changes in source code
> > may find the new code available on SourceForge useful as well:
> >
> > http://sourceforge.net/projects/interbase
> > http://sourceforge.net/projects/firebird
> >
> >Block access to port 3050/tcp
> >
> > This will not, however, prevent local users or users within a
> > firewall's adminstrative boundary from accessing the back door
> > account. In addition, the port the Interbase server listens on may be
> > changed dynamically at startup.
> >
> >Appendix A. Vendor Information
> >
> >Borland
> >
> > Please see:
> >
> > http://www.borland.com/interbase/
> >
> >IBPhoenix
> >
> > The Firebird project uncovered serious security problems with
> > InterBase. The problems are fixed in Firebird build 0.9.4 for all
> > platforms. If you are running either InterBase V6 or Firebird 0.9.3,
> > you should upgrade to Firebird 0.9.4.
> >
> > These security holes affect all version of InterBase shipped since
> > 1994, on all platforms.
> >
> > For those who can not upgrade, Jim Starkey developed a patch program
> > that will correct the more serious problems in any version of
> > InterBase on any platform. IBPhoenix chose to release the program
> > without charge, given the nature of the problem and our relationship
> > to the community.
> >
> > At the moment, name service is not set up to the machine that is
> > hosting the patch, so you will have to use the IP number both for the
> > initial contact and for the ftp download.
> >
> > To start, point your browser at
> >
> > http://firebird.ibphoenix.com/
> >
> >Apple
> >
> > The referenced database package is not packaged with Mac OS X or Mac
> > OS X Server.
> >
> >Fujitsu
> >
> > Fujitsu's UXP/V operating system is not affected by this problem
> > because we don't support the relevant database.
> >
> >References
> >
> > 1. VU#247371: Borland/Inprise Interbase SQL database server contains
> > backdoor superuser account with known password CERT/CC,
> > 01/10/2001, https://www.kb.cert.org/vuls/id/247371
> > _________________________________________________________________
> >
> > Author: This document was written by Jeffrey S Havrilla. Feedback on
> > this advisory is appreciated.
> > ______________________________________________________________________
> >
> > This document is available from:
> > http://www.cert.org/advisories/CA-2001-01.html
> > ______________________________________________________________________
> >
> >CERT/CC Contact Information
> >
> > Email: cert@xxxxxxxx
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> > Monday through Friday; they are on call for emergencies during other
> > hours, on U.S. holidays, and on weekends.
> >
> >Using encryption
> >
> > We strongly urge you to encrypt sensitive information sent by email.
> > Our public PGP key is available from
> >
> > http://www.cert.org/CERT_PGP.key
> >
> > If you prefer to use DES, please call the CERT hotline for more
> > information.
> >
> >Getting security information
> >
> > CERT publications and other security information are available from
> > our web site
> >
> > http://www.cert.org/
> >
> > To subscribe to the CERT mailing list for advisories and bulletins,
> > send email to majordomo@xxxxxxxxx Please include in the body of your
> > message
> >
> > subscribe cert-advisory
> >
> > * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > Patent and Trademark Office.
> > ______________________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and the Software
> > Engineering Institute is furnished on an "as is" basis. Carnegie
> > Mellon University makes no warranties of any kind, either expressed or
> > implied as to any matter including, but not limited to, warranty of
> > fitness for a particular purpose or merchantability, exclusivity or
> > results obtained from use of the material. Carnegie Mellon University
> > does not make any warranty of any kind with respect to freedom from
> > patent, trademark, or copyright infringement.
> > _________________________________________________________________
> >
> > Conditions for use, disclaimers, and sponsorship information
> >
> > Copyright 2001 Carnegie Mellon University.
> >
> > Revision History
> >January 10, 2001: Initial release
> >
> >
> >
> >_______________________________________________
> >cobalt-developers mailing list
> >cobalt-developers@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-developers
> >
> >_______________________________________________
> >cobalt-developers mailing list
> >cobalt-developers@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-developers
> >
> >
> >_________________________________________________________
> >Do You Yahoo!?
> >Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >_______________________________________________
> >cobalt-developers mailing list
> >cobalt-developers@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
> --
>
> -- --
> Gordon Garb gordon.garb @sun.com
> Senior Manager - Developer Relations
> http://developer.cobalt.com/
> http://www.cobalt.com/solutions
> Cobalt Networks -- the Sun Microsystems Server Appliance Business Unit
> 555 Ellis Street +1 650 623-2501 fax
> Mountain View, CA 94043 USA +1 650 623-2534 voice
>
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
>