firebird3.0 - Debian Package Tracker

general

source: firebird3.0 (main)
version: 3.0.14.ds7-1
maintainer: Damyan Ivanov (DMD)
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.0.7.33374.ds4-2
o-o-sec: 3.0.7.33374.ds4-2+deb11u1
oldstable: 3.0.11.33637.ds4-2+deb12u1
stable: 3.0.12.ds7-13+deb13u1
testing: 3.0.14.ds7-1
unstable: 3.0.14.ds7-1

versioned links

3.0.7.33374.ds4-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.7.33374.ds4-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.11.33637.ds4-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.12.ds7-13+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.14.ds7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

firebird3.0-common
firebird3.0-common-doc
firebird3.0-doc
firebird3.0-examples
firebird3.0-server
firebird3.0-server-core (1 bugs: 0, 1, 0, 0)
firebird3.0-utils (3 bugs: 0, 1, 2, 0)

action needed

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-01-25 Last update: 2026-05-03 12:32

9 security issues in trixie high

There are 9 open security issues in trixie.

9 important issues:

CVE-2025-65104: Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.
CVE-2026-27890: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28212: Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28214: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28224: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-33337: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-34232: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-35215: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-40342: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Created: 2026-04-17 Last update: 2026-04-28 19:02

9 security issues in bullseye high

There are 9 open security issues in bullseye.

9 important issues:

CVE-2025-65104: Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.
CVE-2026-27890: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28212: Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28214: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28224: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-33337: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-34232: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-35215: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-40342: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Created: 2026-04-17 Last update: 2026-04-28 19:02

9 security issues in bookworm high

There are 9 open security issues in bookworm.

9 important issues:

CVE-2025-65104: Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher.
CVE-2026-27890: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28212: Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28214: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28224: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-33337: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-34232: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-35215: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-40342: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Created: 2026-04-17 Last update: 2026-04-28 19:02

debian/patches: 3 patches with invalid metadata, 21 patches to forward upstream high

Among the 28 debian patches available in version 3.0.14.ds7-1 of the package, we noticed the following issues:

3 patches with invalid metadata that ought to be fixed.
21 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-20 00:18

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2026-04-06 Last update: 2026-05-05 00:30

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-04-24 Last update: 2026-04-24 20:02

lintian reports 57 warnings normal

Lintian reports 57 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-03 Last update: 2026-04-20 12:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-04-19 15:16

news

[rss feed]

[2026-04-21] firebird3.0 3.0.14.ds7-1 MIGRATED to testing (Debian testing watch)
[2026-04-19] Accepted firebird3.0 3.0.14.ds7-1 (source) into unstable (Damyan Ivanov)
[2025-09-05] firebird3.0 3.0.13.ds7-2 MIGRATED to testing (Debian testing watch)
[2025-09-03] Accepted firebird3.0 3.0.13.ds7-2 (source) into unstable (Damyan Ivanov)
[2025-08-27] Accepted firebird3.0 3.0.11.33637.ds4-2+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2025-08-26] Accepted firebird3.0 3.0.12.ds7-13+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2025-08-25] Accepted firebird3.0 3.0.7.33374.ds4-2+deb11u1 (source) into oldoldstable-security (Adrian Bunk)
[2025-08-21] firebird3.0 3.0.13.ds7-1 MIGRATED to testing (Debian testing watch)
[2025-08-17] Accepted firebird3.0 3.0.13.ds7-1 (source) into unstable (Damyan Ivanov)
[2025-03-26] firebird3.0 3.0.12.ds7-13 MIGRATED to testing (Debian testing watch)
[2025-03-23] Accepted firebird3.0 3.0.12.ds7-13 (source) into unstable (Damyan Ivanov)
[2025-02-20] firebird3.0 3.0.12.ds7-12 MIGRATED to testing (Debian testing watch)
[2025-02-17] Accepted firebird3.0 3.0.12.ds7-12 (source) into unstable (Damyan Ivanov)
[2025-02-11] firebird3.0 3.0.12.ds7-11 MIGRATED to testing (Debian testing watch)
[2025-02-08] Accepted firebird3.0 3.0.12.ds7-11 (source) into unstable (Damyan Ivanov)
[2025-02-07] Accepted firebird3.0 3.0.12.ds7-10 (source) into unstable (Damyan Ivanov)
[2025-02-05] Accepted firebird3.0 3.0.12.ds7-9 (source) into unstable (Damyan Ivanov)
[2025-01-25] Accepted firebird3.0 3.0.12.ds7-8 (source) into unstable (Damyan Ivanov)
[2025-01-18] firebird3.0 3.0.12.ds7-6 MIGRATED to testing (Debian testing watch)
[2025-01-16] Accepted firebird3.0 3.0.12.ds7-7+exp1 (source) into experimental (Damyan Ivanov)
[2025-01-16] Accepted firebird3.0 3.0.12.ds7-7 (source) into experimental (Damyan Ivanov)
[2025-01-16] Accepted firebird3.0 3.0.12.ds7-6 (source) into unstable (Damyan Ivanov)
[2025-01-15] Accepted firebird3.0 3.0.12.ds7-5+exp1 (source) into experimental (Damyan Ivanov)
[2025-01-15] Accepted firebird3.0 3.0.12.ds7-5 (source) into unstable (Damyan Ivanov)
[2025-01-14] Accepted firebird3.0 3.0.12.ds7-3+exp.0 (source) into experimental (Damyan Ivanov)
[2025-01-07] Accepted firebird3.0 3.0.12.ds7-3 (source) into unstable (Damyan Ivanov)
[2025-01-07] Accepted firebird3.0 3.0.12.ds7-2 (source) into unstable (Damyan Ivanov)
[2025-01-02] firebird3.0 3.0.12.ds7-1 MIGRATED to testing (Debian testing watch)
[2024-12-30] Accepted firebird3.0 3.0.12.ds7-1 (source) into unstable (Damyan Ivanov)
[2024-12-29] Accepted firebird3.0 3.0.12.ds5-2 (source) into unstable (Damyan Ivanov)

bugs [bug history graph]

all: 6
RC: 0
I&N: 4
M&W: 2
F&P: 0
patch: 2

links

homepage
lintian (0, 57)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (97, -)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.0.13.ds7-2build1