firebird4.0 - Debian Package Tracker

general

source: firebird4.0 (main)
version: 4.0.7.3271.ds6-1
maintainer: Damyan Ivanov (DMD)
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 4.0.5.3140.ds6-17+deb13u1
stable-sec: 4.0.5.3140.ds6-17+deb13u1
testing: 4.0.6.3221.ds6-2
unstable: 4.0.7.3271.ds6-1

versioned links

4.0.5.3140.ds6-17+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.6.3221.ds6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.7.3271.ds6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

firebird-dev
firebird-utils
firebird4.0-common
firebird4.0-common-doc
firebird4.0-doc
firebird4.0-examples
firebird4.0-server
firebird4.0-server-core
firebird4.0-utils
libfbclient2 (1 bugs: 0, 0, 1, 0)
libib-util

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

The following paragraph isn't well formatted, skipping it: &lt;&lt; ==EOF==
#version=4
##opts="dversionmangle=s/(?:\.ds\d+)$//,uversionmangle=s/-\d+//;s/-(?=\D)/~/g,repacksuffix=.ds6" \
##  http://sf.net/firebird/[Ff]irebird-(4\.0\..*).tar.bz2
#opts="dversionmangle=s/(?:\.ds\d+)$//,uversionmangle=s/-\d+//;s/-(?=\D)/~/g,repacksuffix=.ds6" \
#  https://firebirdsql.org/en/firebird-4-0/ .*/[Ff]irebird-(4\.0\.\d+(?:\.\d+)?)(?:-0)?@ARCHIVE_EXT@
##opts="dversionmangle=s/(?:\.ds\d+)$//,uversionmangle=s/-\d+//;s/-(?=\D)/~/g,repacksuffix=.ds6" \
##  https://github.com/FirebirdSQL/firebird/releases .*/[Ff]irebird-(4\.0\.\d+(?:\.\d+)?)(?:-0)?@ARCHIVE_EXT@
==EOF==

Created: 2025-11-26 Last update: 2026-04-26 05:30

8 security issues in trixie high

There are 8 open security issues in trixie.

8 important issues:

CVE-2026-27890: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28212: Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28214: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28224: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-33337: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-34232: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-35215: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-40342: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Created: 2026-04-17 Last update: 2026-04-19 21:00

8 security issues in forky high

There are 8 open security issues in forky.

8 important issues:

CVE-2026-27890: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28212: Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an op_slice network packet, the server passes an unprepared structure containing a null pointer to the SDL_info() function, resulting in a null pointer dereference and server crash. An unauthenticated attacker can trigger this by sending a crafted packet to the server port. This issue has been fixed in versions 6.0.0, 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28214: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user with INSERT privileges on any table can exploit this via a crafted Batch Parameter Block to cause a denial of service against the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-28224: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-33337: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when deserializing a slice packet, the xdr_datum() function does not validate that a cstring length conforms to the slice descriptor bounds, allowing a cstring longer than the allocated buffer to overflow it. An unauthenticated attacker can exploit this by sending a crafted packet to the server, potentially causing a crash or other security impact. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-34232: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the xdr_status_vector() function does not handle the isc_arg_cstring type when decoding an op_response packet, causing a server crash when one is encountered in the status vector. An unauthenticated attacker can exploit this by sending a crafted op_response packet to the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-35215: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the sdl_desc() function does not validate the length of a decoded SDL descriptor from a slice packet. A zero-length descriptor is later used to calculate the number of slice items, causing a division by zero. An unauthenticated attacker can exploit this by sending a crafted slice packet to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
CVE-2026-40342: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

Created: 2026-04-17 Last update: 2026-04-19 21:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-04-24 Last update: 2026-04-26 05:02

lintian reports 68 warnings normal

Lintian reports 68 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-03 Last update: 2026-04-20 03:00

debian/patches: 14 patches to forward upstream low

Among the 22 debian patches available in version 4.0.7.3271.ds6-1 of the package, we noticed the following issues:

14 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-01-26 Last update: 2026-04-20 00:18

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-12-23 Last update: 2026-04-19 15:16

testing migrations

excuses:
- Blocked by: re2
- Migration status for firebird4.0 (4.0.6.3221.ds6-2 to 4.0.7.3271.ds6-1): Waiting for another item to be ready to migrate (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Depends: firebird4.0 re2 (not considered)
- ∙ ∙ Invalidated by dependency
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/f/firebird4.0.html
- ∙ ∙ Autopkgtest for firebird4.0/4.0.7.3271.ds6-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for libreoffice/4:26.2.2.2-3: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Test triggered (failure will be ignored), ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Not reproduced on armhf (not a regression): libfbclient2
- ∙ ∙ Not reproduced on i386 (not a regression): libfbclient2
- ∙ ∙ Reproduced on ppc64el
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 7 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-04-19] Accepted firebird4.0 4.0.7.3271.ds6-1 (source) into unstable (Damyan Ivanov)
[2025-09-05] firebird4.0 4.0.6.3221.ds6-2 MIGRATED to testing (Debian testing watch)
[2025-09-03] Accepted firebird4.0 4.0.6.3221.ds6-2 (source) into unstable (Damyan Ivanov)
[2025-08-30] Accepted firebird4.0 4.0.5.3140.ds6-17+deb13u1 (source amd64 all) into proposed-updates (Debian FTP Masters) (signed by: Damyan Ivanov)
[2025-08-30] Accepted firebird4.0 4.0.5.3140.ds6-17+deb13u1 (source amd64 all) into stable-security (Debian FTP Masters) (signed by: Damyan Ivanov)
[2025-08-21] firebird4.0 4.0.6.3221.ds6-1 MIGRATED to testing (Debian testing watch)
[2025-08-17] Accepted firebird4.0 4.0.6.3221.ds6-1 (source) into unstable (Damyan Ivanov)
[2025-03-26] firebird4.0 4.0.5.3140.ds6-17 MIGRATED to testing (Debian testing watch)
[2025-03-23] Accepted firebird4.0 4.0.5.3140.ds6-17 (source) into unstable (Damyan Ivanov)
[2025-02-20] firebird4.0 4.0.5.3140.ds6-16 MIGRATED to testing (Debian testing watch)
[2025-02-17] Accepted firebird4.0 4.0.5.3140.ds6-16 (source) into unstable (Damyan Ivanov)
[2025-02-11] firebird4.0 4.0.5.3140.ds6-15 MIGRATED to testing (Debian testing watch)
[2025-02-08] Accepted firebird4.0 4.0.5.3140.ds6-15 (source) into unstable (Damyan Ivanov)
[2025-02-07] Accepted firebird4.0 4.0.5.3140.ds6-14 (source) into unstable (Damyan Ivanov)
[2025-02-05] Accepted firebird4.0 4.0.5.3140.ds6-13 (source) into unstable (Damyan Ivanov)
[2025-01-26] Accepted firebird4.0 4.0.5.3140.ds6-12 (source) into unstable (Damyan Ivanov)
[2025-01-25] Accepted firebird4.0 4.0.5.3140.ds6-11 (source) into unstable (Damyan Ivanov)
[2025-01-16] Accepted firebird4.0 4.0.5.3140.ds6-10 (source) into experimental (Damyan Ivanov)
[2025-01-15] Accepted firebird4.0 4.0.5.3140.ds6-9 (source) into experimental (Damyan Ivanov)
[2025-01-15] Accepted firebird4.0 4.0.5.3140.ds6-8 (source) into experimental (Damyan Ivanov)
[2025-01-13] Accepted firebird4.0 4.0.5.3140.ds6-7 (source) into experimental (Damyan Ivanov)
[2025-01-10] Accepted firebird4.0 4.0.5.3140.ds6-6 (source) into experimental (Damyan Ivanov)
[2025-01-10] Accepted firebird4.0 4.0.5.3140.ds6-5 (source) into experimental (Damyan Ivanov)
[2025-01-08] Accepted firebird4.0 4.0.5.3140.ds6-4 (source) into experimental (Damyan Ivanov)
[2025-01-08] Accepted firebird4.0 4.0.5.3140.ds6-3 (source) into experimental (Damyan Ivanov)
[2025-01-02] Accepted firebird4.0 4.0.5.3140.ds6-2 (source) into experimental (Damyan Ivanov)
[2024-12-31] Accepted firebird4.0 4.0.5.3140.ds6-1 (source) into experimental (Damyan Ivanov)
[2024-06-30] Accepted firebird4.0 4.0.4.3010.ds6-5 (source) into experimental (Damyan Ivanov)
[2024-05-25] Accepted firebird4.0 4.0.4.3010.ds6-4 (source) into experimental (Damyan Ivanov)
[2024-05-19] Accepted firebird4.0 4.0.4.3010.ds6-3 (source) into experimental (Damyan Ivanov)

bugs [bug history graph]

all: 2
RC: 0
I&N: 1
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 68)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
l10n (95, -)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.0.6.3221.ds6-2build2