Firebird 3 vulnerability in zlib
74 views
Skip to first unread message
Tobias Zipfel
May 12, 2022, 6:13:29 PM5/12/22
to firebird-support
Hello,
the zlib version used in firebird 3 has a known security vulnerability.
We use firebird as an embedded database and I wonder if it is an option to delete the zlib library from our product installation to avoid scanner detections?
As I understand the library is used during client server connections when wire compression is activated but I cannot exclude that this is the only case.
I know that this will be fixed in 3.0.10 with a newer version of the lib.
It seems that 3.0.10 will be release soon based on what I read in the developer mailing list. Deleting the dll could be another easier option for us if this cannot lead to crashes.
Thanks in advance!
Regards
Tobias Zipfel
Scott Morgan
May 12, 2022, 9:10:44 PM5/12/22
to firebird...@googlegroups.com
On 5/12/22 14:16, Tobias Zipfel wrote:
> Hello,
>
> the zlib version used in firebird 3 has a known security vulnerability.
> https://nvd.nist.gov/vuln/detail/CVE-2018-25032
>
> We use firebird as an embedded database and I wonder if it is an option
> to delete the zlib library from our product installation to avoid
> scanner detections?
>
This was discussed on the FB-dev list:
> Hello,
>
> the zlib version used in firebird 3 has a known security vulnerability.
> https://nvd.nist.gov/vuln/detail/CVE-2018-25032
>
> We use firebird as an embedded database and I wonder if it is an option
> to delete the zlib library from our product installation to avoid
> scanner detections?
>
https://sourceforge.net/p/firebird/mailman/firebird-devel/thread/01f8dc502a5dfb6bf4769f250667ba1b%40lawinegevaar.nl/#msg37633229
General result:
They will upgrade it for next release.
You can replace zlib with a newer, fixed version.
It's unlikely (but not 0%) to be a risk.
Maybe you can grab the fixed zlib1.dll from the snapshot build? I don't
know for sure.
http://web.firebirdsql.org/download/snapshot_builds/win/3.0/
Scott
Tobias Zipfel
May 13, 2022, 2:30:06 AM5/13/22
to firebird-support
Great, thanks for the quick answer Scott!
I found the dll in the snapshot build.
Regards
Tobias
Mark Rotteveel
May 13, 2022, 2:51:00 AM5/13/22
to firebird...@googlegroups.com
build, or from the zlib website).
The code handles absence of the zlib library, so I guess it should be
safe to just delete as well.
Mark
--
Mark Rotteveel
Tobias Zipfel
May 16, 2022, 4:12:44 AM5/16/22
to firebird-support
Thanks Mark, then we have really all the options available!
Reply all
Reply to author
Forward
0 new messages